Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 02:24
Static task
static1
Behavioral task
behavioral1
Sample
b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe
-
Size
138KB
-
MD5
b5fdc9452d7cd3ccda9973d010f23f12
-
SHA1
d82fabdfd5c5d5bcfd713ea5a55b4a8e8105a123
-
SHA256
4fc371d56223ad9a441fd056abf5d879846b040183dd49ad465c6d9111728fda
-
SHA512
d7ee45e7cf1b8635f552de6d8e9832c292db68dc42617f75afc0e093dc41543c86e8f66b1a3c352a8ae5b70e7d17681a2ba1aae28caf5d662d629b1d39b7fce5
-
SSDEEP
3072:7tsaTXp2uHKN/BDzh/5jrCIHer7Zmv3HSruNyLamWjMAKdWrc:7Garp2uHKNfYJmaiNyVWPdrc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1552 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2196 nuon.exe -
Loads dropped DLL 2 IoCs
pid Process 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F6CB8EED-75E3-9C27-7A70-061099CB5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Sood\\nuon.exe" nuon.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2256 set thread context of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuon.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2B1A2393-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe 2196 nuon.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe Token: SeSecurityPrivilege 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe Token: SeManageVolumePrivilege 1300 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1300 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1300 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1300 WinMail.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2196 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2196 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2196 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2196 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 29 PID 2196 wrote to memory of 1232 2196 nuon.exe 18 PID 2196 wrote to memory of 1232 2196 nuon.exe 18 PID 2196 wrote to memory of 1232 2196 nuon.exe 18 PID 2196 wrote to memory of 1232 2196 nuon.exe 18 PID 2196 wrote to memory of 1232 2196 nuon.exe 18 PID 2196 wrote to memory of 1336 2196 nuon.exe 19 PID 2196 wrote to memory of 1336 2196 nuon.exe 19 PID 2196 wrote to memory of 1336 2196 nuon.exe 19 PID 2196 wrote to memory of 1336 2196 nuon.exe 19 PID 2196 wrote to memory of 1336 2196 nuon.exe 19 PID 2196 wrote to memory of 1392 2196 nuon.exe 20 PID 2196 wrote to memory of 1392 2196 nuon.exe 20 PID 2196 wrote to memory of 1392 2196 nuon.exe 20 PID 2196 wrote to memory of 1392 2196 nuon.exe 20 PID 2196 wrote to memory of 1392 2196 nuon.exe 20 PID 2196 wrote to memory of 932 2196 nuon.exe 24 PID 2196 wrote to memory of 932 2196 nuon.exe 24 PID 2196 wrote to memory of 932 2196 nuon.exe 24 PID 2196 wrote to memory of 932 2196 nuon.exe 24 PID 2196 wrote to memory of 932 2196 nuon.exe 24 PID 2196 wrote to memory of 2256 2196 nuon.exe 28 PID 2196 wrote to memory of 2256 2196 nuon.exe 28 PID 2196 wrote to memory of 2256 2196 nuon.exe 28 PID 2196 wrote to memory of 2256 2196 nuon.exe 28 PID 2196 wrote to memory of 2256 2196 nuon.exe 28 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2256 wrote to memory of 1552 2256 b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe 31 PID 2196 wrote to memory of 2052 2196 nuon.exe 33 PID 2196 wrote to memory of 2052 2196 nuon.exe 33 PID 2196 wrote to memory of 2052 2196 nuon.exe 33 PID 2196 wrote to memory of 2052 2196 nuon.exe 33 PID 2196 wrote to memory of 2052 2196 nuon.exe 33
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1232
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5fdc9452d7cd3ccda9973d010f23f12_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Roaming\Sood\nuon.exe"C:\Users\Admin\AppData\Roaming\Sood\nuon.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfba394dd.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1552
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:932
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1300
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a4ef312851ddb13d03d6178d1f3f26e3
SHA1855ae2ef153c8d5a001130003ec7cc9716a813c7
SHA256df0141e7eb0f839b9375584c71e64b88051d799a1adc08ddff0b8f4459dabb1c
SHA5123648c78ac80b9ffb09b0f62d24bddb6bb964a797f44ff1e9656a323b0d201f5fa6a30db7755f34c85e5987b180c3ae7d59b55adefb67fde1c0ffb7e0d629bacc
-
Filesize
271B
MD5a2427cfc79fa97f7a64e25a7a993dffb
SHA1a68180ef175e8085abe4da33d755e676a924bf21
SHA256d0cc1a6121319543acf857f48f3720d9250cf52fa054302830fa7db9ab1a6eeb
SHA51239aafcb6381ed749d5ea44309be7c3a729092eda364f089ce4fbb6516ed326ca2e82890dd08d907466f1f1bb53e992e08789c1039687e12b58dc7ec690270e0b
-
Filesize
380B
MD5c984c73164e39e6d4f32da24433730d2
SHA1375afd220856cdac6717c3919fbcbb2416d7b0cb
SHA256fdb0c9be016f58899d98a07e4d7e1b69ab6d050ed587072a40c382bee888047a
SHA51291fa265d9b188b572eccdb8965eeda7abef690393756766916a4247a95796c64d42792ceb7001b1e9911d74fe2fc929d746dc6784853cb319e7ae4a4798913e1
-
Filesize
138KB
MD505f713d9c600fe9123b9eb47dbd81dc3
SHA1ea73334e04e82fc29b14242179b90672b443f005
SHA256e6c251ae96023bbc9d35d0d31c871c30ea30e6770ec911bbed98849155f9c6d5
SHA512f19eadaa03e71e94084a3f3c98d9bfb4130c8567141b98ecd675be2bc3c5c224fca1e32bff4ad4bf7c16aa0659d033414e0088f1ff8d2b8a6b4ebaedbb99710b