Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 09:45
Static task
static1
Behavioral task
behavioral1
Sample
aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
aebe807b303e1f27905b14fed19eb977
-
SHA1
3993f2cb66a0aec79ae301c98527857bce1e0aeb
-
SHA256
9c2ee85a2694dbd762a818acd24b491e17b633fc18f867ef19f12d3271a51e07
-
SHA512
7e0fedf5a10a62fe3bb921d0cdb2310e7bc28ace9fbc3164a4ee1a005e83c96b86ad1f87b37e0bde94e851515e29a1fad551fb89eb1a2a31c7a97d6ecbe8b8a2
-
SSDEEP
12288:B3XOndk7TbCMPW5A6X4tbAYkrYJAeZ1sug8Gy0t8wGpB5NP1vnbIaGTjg:B3edQbC8W5A0YirYhicGy0t8w6vbIZ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2120 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2388 Utility Mang.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Utility Mang.exe aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe File opened for modification C:\Windows\Utility Mang.exe aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe File created C:\Windows\Uer.BAT aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Utility Mang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties Utility Mang.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\System Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2388 Utility Mang.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2120 1956 aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe 33 PID 1956 wrote to memory of 2120 1956 aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe 33 PID 1956 wrote to memory of 2120 1956 aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe 33 PID 1956 wrote to memory of 2120 1956 aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe 33 PID 2388 wrote to memory of 2892 2388 Utility Mang.exe 32 PID 2388 wrote to memory of 2892 2388 Utility Mang.exe 32 PID 2388 wrote to memory of 2892 2388 Utility Mang.exe 32 PID 2388 wrote to memory of 2892 2388 Utility Mang.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aebe807b303e1f27905b14fed19eb977_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Uer.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\Utility Mang.exe"C:\Windows\Utility Mang.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD56734193e0be6215dc48c38f73218f5dd
SHA111f69e3b6c075075aaffd2436fc1b80b167035bb
SHA2564fad6d7fd17834cb6ea0c0417ada083522ff6692bb1c1c0ca1ce3b75e528b648
SHA51272df81c1fdf74cb602223cc3576c92e26a58976aa1d8db64c671df5d482985a0451a230998535c8f3cbdfd1dbcfbb29f8fcf6e90c83a5ad0b524d508626df3c2
-
Filesize
1.1MB
MD5aebe807b303e1f27905b14fed19eb977
SHA13993f2cb66a0aec79ae301c98527857bce1e0aeb
SHA2569c2ee85a2694dbd762a818acd24b491e17b633fc18f867ef19f12d3271a51e07
SHA5127e0fedf5a10a62fe3bb921d0cdb2310e7bc28ace9fbc3164a4ee1a005e83c96b86ad1f87b37e0bde94e851515e29a1fad551fb89eb1a2a31c7a97d6ecbe8b8a2