Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe
-
Size
297KB
-
MD5
ade8b7109491a576ef9e33c6ad175e3d
-
SHA1
5ce75d4b306c42d294c33c3b76a6723c62544a33
-
SHA256
ffbd31ddd22c2abf5488b073474c61454f7bf6deb10260b7551245faf5e934e8
-
SHA512
dc0dce9c9af62dd5f60a0ad070e09c5dff1b85794e4c99096711dfad3c4144036d315c7ba50ff82bc22d02a658ba37f1823256b4334f86c3b0306ceffd485f38
-
SSDEEP
6144:WjhawZHWSIg118HWULKjC7hif1mO45x3VN0cp0cyIi:yljIaC7hy45x3ko0cyIi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2132 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2240 mileh.exe -
Loads dropped DLL 2 IoCs
pid Process 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Xyobw\\mileh.exe" mileh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 828 set thread context of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mileh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe 2240 mileh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe Token: SeSecurityPrivilege 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe Token: SeSecurityPrivilege 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 2240 mileh.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 828 wrote to memory of 2240 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 29 PID 828 wrote to memory of 2240 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 29 PID 828 wrote to memory of 2240 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 29 PID 828 wrote to memory of 2240 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 29 PID 2240 wrote to memory of 1284 2240 mileh.exe 18 PID 2240 wrote to memory of 1284 2240 mileh.exe 18 PID 2240 wrote to memory of 1284 2240 mileh.exe 18 PID 2240 wrote to memory of 1284 2240 mileh.exe 18 PID 2240 wrote to memory of 1284 2240 mileh.exe 18 PID 2240 wrote to memory of 1388 2240 mileh.exe 19 PID 2240 wrote to memory of 1388 2240 mileh.exe 19 PID 2240 wrote to memory of 1388 2240 mileh.exe 19 PID 2240 wrote to memory of 1388 2240 mileh.exe 19 PID 2240 wrote to memory of 1388 2240 mileh.exe 19 PID 2240 wrote to memory of 1444 2240 mileh.exe 20 PID 2240 wrote to memory of 1444 2240 mileh.exe 20 PID 2240 wrote to memory of 1444 2240 mileh.exe 20 PID 2240 wrote to memory of 1444 2240 mileh.exe 20 PID 2240 wrote to memory of 1444 2240 mileh.exe 20 PID 2240 wrote to memory of 1604 2240 mileh.exe 22 PID 2240 wrote to memory of 1604 2240 mileh.exe 22 PID 2240 wrote to memory of 1604 2240 mileh.exe 22 PID 2240 wrote to memory of 1604 2240 mileh.exe 22 PID 2240 wrote to memory of 1604 2240 mileh.exe 22 PID 2240 wrote to memory of 828 2240 mileh.exe 28 PID 2240 wrote to memory of 828 2240 mileh.exe 28 PID 2240 wrote to memory of 828 2240 mileh.exe 28 PID 2240 wrote to memory of 828 2240 mileh.exe 28 PID 2240 wrote to memory of 828 2240 mileh.exe 28 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30 PID 828 wrote to memory of 2132 828 ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe 30
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1284
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1388
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ade8b7109491a576ef9e33c6ad175e3d_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Roaming\Xyobw\mileh.exe"C:\Users\Admin\AppData\Roaming\Xyobw\mileh.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8ed68206.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2132
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5a230b188d83d366e04eaa5416b77cdd6
SHA192d9822b74fac595ab785de577b5a1e006525d9a
SHA2568421f47c2379e3afd967dda3bac56480973fc85cce510307c0b308c890c32e39
SHA512d1b7017334f9d0ea58051c4b94b862a0c83e58d10d2e552510138c1598196751ff653d4c31a4b7cb124e2044f287b59e82c1e3bffef1780178a985510449ed47
-
Filesize
380B
MD5d4bc7f35aefa7a875f8406f777e293d0
SHA13f78896442d9bd2494c9bc8ac27d3a34c30ecb82
SHA256006fd70a01f780affd78b9a448f7e6b9c877bee3f334a0f67b2809493725707a
SHA512146d17006dc4bd0ac43d761a5a0b8257893c96ad7db721bc1a488528a5ea31582c444a11b3a20c2cc9e1e6f6b7265692d52cd8413a935c51b8374db27fb1a778
-
Filesize
297KB
MD5e9f5187c76f1bd2d757a79b00a29dc75
SHA1d57cf0e668c9d9c477326d76747e79a80161c056
SHA25676a982a5c1a5dcfb0c7aa9946f44193d797e92b037fa9b3856ea6a5d1e6f6709
SHA512893b6f51ee751753893a955875baf5152099d6edcbfa0476f2322db4181800e241448dbe047b5041ae6c85f1e08ad62582c53cad8c069145e33723439834b05f