Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 04:03
Static task
static1
Behavioral task
behavioral1
Sample
ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe
-
Size
880KB
-
MD5
ba480da41b6ec6f00fc0d7caf9f11cb3
-
SHA1
f924f6baa35057ea88154faed0213c154eadcfa0
-
SHA256
47256456d9897ef71eb4a944fbde08aa388aabb85645b5b79ba6dc0c9a106124
-
SHA512
adfa3b2c264d1bcfa82e2d94187a073905cfe55aa08690a1d9e79d9a6a8bc7fe523e49d8bcbd43beec5ab62e26c558e57e7ff72e46d1aa5973fd77d5a39a0b9f
-
SSDEEP
24576:9+6LCb7OdjFbdRGe9PiuImyEaNCXhgtNz5WhCdSjD4kbQsbq7480/uSUsQ6F:9pnCe9qIeNCqfb4j1bT
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate crypted.exe -
Executes dropped EXE 2 IoCs
pid Process 1968 crypted.exe 11744 crypted.exe -
Loads dropped DLL 1 IoCs
pid Process 1968 crypted.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 11744 1968 crypted.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier crypted.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 crypted.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString crypted.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier crypted.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier crypted.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2124 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 11744 crypted.exe Token: SeSecurityPrivilege 11744 crypted.exe Token: SeTakeOwnershipPrivilege 11744 crypted.exe Token: SeLoadDriverPrivilege 11744 crypted.exe Token: SeSystemProfilePrivilege 11744 crypted.exe Token: SeSystemtimePrivilege 11744 crypted.exe Token: SeProfSingleProcessPrivilege 11744 crypted.exe Token: SeIncBasePriorityPrivilege 11744 crypted.exe Token: SeCreatePagefilePrivilege 11744 crypted.exe Token: SeBackupPrivilege 11744 crypted.exe Token: SeRestorePrivilege 11744 crypted.exe Token: SeShutdownPrivilege 11744 crypted.exe Token: SeDebugPrivilege 11744 crypted.exe Token: SeSystemEnvironmentPrivilege 11744 crypted.exe Token: SeChangeNotifyPrivilege 11744 crypted.exe Token: SeRemoteShutdownPrivilege 11744 crypted.exe Token: SeUndockPrivilege 11744 crypted.exe Token: SeManageVolumePrivilege 11744 crypted.exe Token: SeImpersonatePrivilege 11744 crypted.exe Token: SeCreateGlobalPrivilege 11744 crypted.exe Token: 33 11744 crypted.exe Token: 34 11744 crypted.exe Token: 35 11744 crypted.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2900 wrote to memory of 1968 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 30 PID 2900 wrote to memory of 1968 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 30 PID 2900 wrote to memory of 1968 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 30 PID 2900 wrote to memory of 1968 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 30 PID 2900 wrote to memory of 2124 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 31 PID 2900 wrote to memory of 2124 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 31 PID 2900 wrote to memory of 2124 2900 ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe 31 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32 PID 1968 wrote to memory of 11744 1968 crypted.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:11744
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Instructions.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360B
MD5036d4adeb724a007fb00011734b5a3e2
SHA11d0f70d7b442bee1741702394dcc917cb13c9064
SHA256e1a0dcf6046381884d91d8e70b48b76548520f2f3fb87391d14b6af0d9609036
SHA5125d02f692e8ff7927498ef750091da86ae2b85b4f73f7ee29721207b1fb4055c0b47f38333dc0e2eaf7b0bca6a50f0291d68826637d4b7d467965c19866979d2f
-
Filesize
645KB
MD5d2612794fd2d21874ffb92b2bfef2407
SHA1a74255beeb2a61ef598dd10fd50f8e1ba25a574b
SHA2566eb607fa53c977d8fbd3ad8578f574dad83bebd5daf865a04df0a8afb9daee33
SHA512e0c594217064ac12cc6e780aa4e0b171103d974fbb59113ad9f7763601e24c7f8a91a607dc43179b5e28bab27bf47ee7c16598b1f9569620fc6ef0f83f7accfd