Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 06:18
Static task
static1
Behavioral task
behavioral1
Sample
baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe
-
Size
283KB
-
MD5
baad0ba5161883106ab153da0bcfc783
-
SHA1
59c4280a4e71204a42d67cf52da6055d17d29cee
-
SHA256
84e2262def66c581cfc3d98c96578e4536e878a64e7d1cf74c7ad3b390ed378d
-
SHA512
3117be8cb54a683c4c40ed453c4dd2cb903066876c0813a11b305d9aadf29c324709512873007f2c08885b38422f67b7a970c0d6047631b1cbae0e55c4dd4390
-
SSDEEP
6144:XGnRvoAIBjgHA+et3Bwqg555DoygfXia9a/6CNHy5rR:XGn2AIBs5etxU5M1hSNHu
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 3016 4894.tmp -
Loads dropped DLL 2 IoCs
pid Process 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1864-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2844-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2844-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1864-15-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/1864-16-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2416-87-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2416-88-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1864-89-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1864-196-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1864-199-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B61.exe = "C:\\Program Files (x86)\\LP\\D3A1\\B61.exe" baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\D3A1\B61.exe baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\D3A1\4894.tmp baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\D3A1\B61.exe baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4894.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1972 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2336 msiexec.exe Token: SeTakeOwnershipPrivilege 2336 msiexec.exe Token: SeSecurityPrivilege 2336 msiexec.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe Token: SeShutdownPrivilege 1972 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe 1972 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2844 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2844 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2844 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2844 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 32 PID 1864 wrote to memory of 2416 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2416 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2416 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 34 PID 1864 wrote to memory of 2416 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 34 PID 1864 wrote to memory of 3016 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 36 PID 1864 wrote to memory of 3016 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 36 PID 1864 wrote to memory of 3016 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 36 PID 1864 wrote to memory of 3016 1864 baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\150DA\50ED3.exe%C:\Users\Admin\AppData\Roaming\150DA2⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\baad0ba5161883106ab153da0bcfc783_JaffaCakes118.exe startC:\Program Files (x86)\DA706\lvvm.exe%C:\Program Files (x86)\DA7062⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Program Files (x86)\LP\D3A1\4894.tmp"C:\Program Files (x86)\LP\D3A1\4894.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed215b1fcae4c18a0a98b8f784ea82b7
SHA1f9b5b203f67a5bc73dba98594ba3d08d1421d9ef
SHA25665685d7c81daa9510297b8500f5466299731851f92301a84ef5350331a774eef
SHA512fb620fcffccbc40e2424784b6c3354129ae7b10ea1167d3879e299aeb6ca0b1009c12227845c75ca7de78b84dd35e60bdff55351d3649cb6bb0006503aeff172
-
Filesize
600B
MD51144ec0b7c50fedfbab6b1a20d8985fd
SHA1a577f58c5be30daf96e118fa4b7b0856f03d736d
SHA256c34df0b4a7a4dd1cf8d95fcef97c59456ed7c9d6ced6c58ddf3f29cdf3b6a773
SHA512c397e584d20573fe7276e819842fec1f24ac33cc5a20849060c7d82de4742628b1ad86564b894e5b3468d6a4cdbc68132a6a441970c07420b21f98d1fcc07cd1
-
Filesize
996B
MD5e25efa5bc9aa6f721a6c8aeceb34339e
SHA18dc354084457bca0c2526e8e1d64fbb90bfe0938
SHA256294e392a093295ba33fbfcb9a12140a89cb8b4e03bbe99c6317c5685aa1b2a19
SHA51289a9b875511dc086f8d1b01a6727424fa3d3c15c91a7c54ecc2057821475581bcfb368204f85203a2c2199f4e77496a69d94bf7d9bc19967da806cfc57ee5204
-
Filesize
104KB
MD59ec163301c151d8034762d4842fc5e17
SHA1cc0d87dec81974a84cbb10079ae2970c4479d004
SHA25613d97533799566e188daa7219a21c05ceee71b506701f51764a17cc0dc275066
SHA51296c7836851e55185dc22b8b585b11edf26fb92884698997342342d61b530774d1a2a8d7e2d8cce5fb784ca2ca96714ac64f9d165a62800e1fba5fb18502a46c0