Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 18:49
Static task
static1
Behavioral task
behavioral1
Sample
b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe
-
Size
786KB
-
MD5
b06990caa3626d11c9c0cc59a75924e4
-
SHA1
a04db85d210ba1afb0bf7b81efbafa66128efa25
-
SHA256
09e8b2b10ed42d306662a4e92f6f8b90994349af01789a50e8d5499b87e45035
-
SHA512
4b38f88877d398bd5eb523538728d3d1ac9c31fcf8259d2476f5538aab8f7c452e8f15b510105078f14ff1cfde9ca8025ade2c31953442aaac11e3c9eea1c02a
-
SSDEEP
12288:oRYgA7YQCDaZYxnczY9u1BGxiLdAtpeLmkSrre3BrpWZhASRXHYnrm9:oRYgA7NzZw9WGELGbeNc0rqRXHYrm9
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2712 netsh.exe 2672 netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1272 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1272 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1272 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1272 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 30 PID 3008 wrote to memory of 2700 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 32 PID 3008 wrote to memory of 2700 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 32 PID 3008 wrote to memory of 2700 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 32 PID 3008 wrote to memory of 2700 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 32 PID 3008 wrote to memory of 2816 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 34 PID 3008 wrote to memory of 2816 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 34 PID 3008 wrote to memory of 2816 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 34 PID 3008 wrote to memory of 2816 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 34 PID 2816 wrote to memory of 2712 2816 cmd.exe 36 PID 2816 wrote to memory of 2712 2816 cmd.exe 36 PID 2816 wrote to memory of 2712 2816 cmd.exe 36 PID 2816 wrote to memory of 2712 2816 cmd.exe 36 PID 3008 wrote to memory of 2564 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 37 PID 3008 wrote to memory of 2564 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 37 PID 3008 wrote to memory of 2564 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 37 PID 3008 wrote to memory of 2564 3008 b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe 37 PID 2564 wrote to memory of 2672 2564 cmd.exe 39 PID 2564 wrote to memory of 2672 2564 cmd.exe 39 PID 2564 wrote to memory of 2672 2564 cmd.exe 39 PID 2564 wrote to memory of 2672 2564 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b06990caa3626d11c9c0cc59a75924e4_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1