Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
-
Size
420KB
-
MD5
bc5ed93a16efb2f651e1f11ca5f63af6
-
SHA1
6dd5f69073ddb90f5bd31513c9246416ee15e51f
-
SHA256
178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758
-
SHA512
29b8ae7b825ee3e0e9270f1cede229d5a1ee3b9338b7d53687b8e98c566a041a8a63d1c3005a302678e7605216c619e44e877d31c0a5a5da588f7d23165e3ead
-
SSDEEP
6144:J/0uoMI62w243WiGOeriNeAHS6ODHmAu2thUz00acEzcnWIXMbx9VWcFHk:JJ73WZmNfy6ODGTaUg/AWIXs5WoE
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2236 ENJOY-~1.EXE 2728 enjoy-soft1.exe 2528 ENJOY-~1.EXE 2860 Setup.exe 2516 Utility Mang.exe -
Loads dropped DLL 10 IoCs
pid Process 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 2236 ENJOY-~1.EXE 2236 ENJOY-~1.EXE 2728 enjoy-soft1.exe 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 2528 ENJOY-~1.EXE 2728 enjoy-soft1.exe 2860 Setup.exe 2860 Setup.exe 2860 Setup.exe -
resource yara_rule behavioral1/files/0x00080000000195f7-2.dat upx behavioral1/memory/2236-7-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2236-10-0x0000000000240000-0x0000000000266000-memory.dmp upx behavioral1/memory/2236-21-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2528-54-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Uer.BAT Setup.exe File created C:\Windows\Utility Mang.exe Setup.exe File opened for modification C:\Windows\Utility Mang.exe Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENJOY-~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enjoy-soft1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENJOY-~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Utility Mang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\System Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Utility Mang.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties Utility Mang.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2516 Utility Mang.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 3036 wrote to memory of 2236 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 2236 wrote to memory of 2728 2236 ENJOY-~1.EXE 31 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 3036 wrote to memory of 2528 3036 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 32 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2728 wrote to memory of 2860 2728 enjoy-soft1.exe 33 PID 2516 wrote to memory of 2588 2516 Utility Mang.exe 35 PID 2516 wrote to memory of 2588 2516 Utility Mang.exe 35 PID 2516 wrote to memory of 2588 2516 Utility Mang.exe 35 PID 2516 wrote to memory of 2588 2516 Utility Mang.exe 35 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36 PID 2860 wrote to memory of 2568 2860 Setup.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Uer.BAT5⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Windows\Utility Mang.exe"C:\Windows\Utility Mang.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD5aaf8434df1f8c6c6ed749ab01d1c22c6
SHA1fa41fb89750fdeb128237140bcf4a0b8752f05ea
SHA256be4ea232c5a9877e3c943a4738b18a8a4ec605a9a0562c00e89967f451769a0b
SHA512bba9f6c1f4a63fcc756a05fa5ab900b28fa16ea7a7fd7342333073bcbcb1d9d36f2705a3d8a0b2b0c5d9466804ab7c0e1451d1c092b7acfd424d0ab6cc3266cd
-
Filesize
366KB
MD5a22dfb0055131ddaf228e3d0a35948fd
SHA18097dbb30cf73bc88146882a3a77d9e7fec0b93b
SHA256f487ccc4f8c3d1ca61421ee17e4bbcbe6a6fa562640595162029fc1e15404177
SHA512e7502c82c81c519eff1c8b0a31d819c9f4de2d96bb240f8b79a2a043b380428542522164afb7b270e04f07c28fe96334ff10925197e51414768d3237b79ee82d
-
Filesize
603KB
MD5e34bb36cd573d0b8f6600fa74d55319b
SHA13ca8b1f5f68bb05367af57efad823e01d163c599
SHA2562d015636a64b4fb5545577da672d055376239db5c2d9d79bcbf4cd1b60972dae
SHA51232df80f123ed79753a9a096333017069277d08cf6800082a23b3afd0f7c0e8136ce417a821e793e5b7d41897cfcc092037f1fd9f08a4629409d483a960d2b823
-
Filesize
355KB
MD52cd5631e374dfaa51252bcc2d39a514d
SHA1cb5bdf1b92f48ad9c1401550b76293d750f23fc4
SHA256bdad534481f11ec5384e28993d8080b7f8152347e723056354e9d2622424aa7c
SHA51291ff61d83d8e1b8475f87d2d7565a23bd1b03904959311f112eec17cd23b5174f4320f66cc2d364a0146f1c78df0443834619b2cb0a95fc941cceb1566807964