Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe
-
Size
476KB
-
MD5
b1099f513a087bc5d67c0738f7c0febf
-
SHA1
3d4f564da8bcf44e081a1382bac3a7e696b6193e
-
SHA256
5db3786e086cd72014655d23371bdd8b41de6868f19dc496632ca9b55279403a
-
SHA512
ba5d1c1bf962f6d7e6c5a41d0325c9c2d64477e4d3b295b63e85771e854c2f4229f7ce9fd8750ca2f8dd4651117769f41fdc8378b3fd1d104b6fd86522f0f123
-
SSDEEP
12288:J295SNXGoM3JuaC2ovJXdmj+udxfjMD967h7xcNKy7jiIK/APS:J294NLiJNCzJtmFfjU96xc4IzP
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2932 XXiouIlxcI.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2324-2-0x0000000000600000-0x000000000067C000-memory.dmp upx behavioral1/memory/2932-18-0x0000000000600000-0x000000000067C000-memory.dmp upx behavioral1/memory/2932-19-0x0000000000600000-0x000000000067C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXiouIlxcI = "C:\\ProgramData\\XXiouIlxcI.exe" b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum XXiouIlxcI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 XXiouIlxcI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XXiouIlxcI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Download b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe 2932 XXiouIlxcI.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2932 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2932 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2932 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2932 2324 b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1099f513a087bc5d67c0738f7c0febf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2324 -
C:\ProgramData\XXiouIlxcI.exe"C:\ProgramData\XXiouIlxcI.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5b1099f513a087bc5d67c0738f7c0febf
SHA13d4f564da8bcf44e081a1382bac3a7e696b6193e
SHA2565db3786e086cd72014655d23371bdd8b41de6868f19dc496632ca9b55279403a
SHA512ba5d1c1bf962f6d7e6c5a41d0325c9c2d64477e4d3b295b63e85771e854c2f4229f7ce9fd8750ca2f8dd4651117769f41fdc8378b3fd1d104b6fd86522f0f123