Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc09c8325517a809072176f316dbd336_JaffaCakes118.exe
-
Size
640KB
-
MD5
bc09c8325517a809072176f316dbd336
-
SHA1
293778a6d8c7db68a2126ae65b6f1eceb256dbb4
-
SHA256
2760246c8a82a2d16b331f2806510d0890bc2a2a6edef60f611c0cb24d73c0c5
-
SHA512
e3e888c387614e0424b4b9598d581e2275d2be530a4d1c533f7f245aa481f5721cd2daf91bc73528558baff1aeda45f6cb1f872fac4d8a8a38f068f87d969093
-
SSDEEP
12288:l41n276gRMKWto+KJSiJErrQ7GPncF3Z4mxx+wy/Lx8cNJAxE3:l41ng6gRMKyo5jEr07QcQmX+wILCWJf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2644 systui.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\systui.exe bc09c8325517a809072176f316dbd336_JaffaCakes118.exe File opened for modification C:\Windows\systui.exe bc09c8325517a809072176f316dbd336_JaffaCakes118.exe File created C:\Windows\DELME.BAT bc09c8325517a809072176f316dbd336_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc09c8325517a809072176f316dbd336_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2668 bc09c8325517a809072176f316dbd336_JaffaCakes118.exe Token: SeDebugPrivilege 2644 systui.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2644 systui.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2840 2644 systui.exe 32 PID 2644 wrote to memory of 2840 2644 systui.exe 32 PID 2644 wrote to memory of 2840 2644 systui.exe 32 PID 2644 wrote to memory of 2840 2644 systui.exe 32 PID 2668 wrote to memory of 2804 2668 bc09c8325517a809072176f316dbd336_JaffaCakes118.exe 33 PID 2668 wrote to memory of 2804 2668 bc09c8325517a809072176f316dbd336_JaffaCakes118.exe 33 PID 2668 wrote to memory of 2804 2668 bc09c8325517a809072176f316dbd336_JaffaCakes118.exe 33 PID 2668 wrote to memory of 2804 2668 bc09c8325517a809072176f316dbd336_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc09c8325517a809072176f316dbd336_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc09c8325517a809072176f316dbd336_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\DELME.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\systui.exeC:\Windows\systui.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD561251a9a0920a334d6350c2f5a0c6b1a
SHA1a0e152bf9bac5bd80f4ff0c1375d7b5073ca732b
SHA256c260af20b0cf55c6d6c61a4987680a577d6c1496a2a84f45ac094d57993461b1
SHA5127bea744e1d44fa3e0e2909ea9ee5001ddc33fe427750ce6ee807c3f2f7f75211b5d02f5f36a334a88dde5f02b76f973c73e3d3f22aa1f51ff56f8921f95e671b
-
Filesize
640KB
MD5bc09c8325517a809072176f316dbd336
SHA1293778a6d8c7db68a2126ae65b6f1eceb256dbb4
SHA2562760246c8a82a2d16b331f2806510d0890bc2a2a6edef60f611c0cb24d73c0c5
SHA512e3e888c387614e0424b4b9598d581e2275d2be530a4d1c533f7f245aa481f5721cd2daf91bc73528558baff1aeda45f6cb1f872fac4d8a8a38f068f87d969093