Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe
-
Size
288KB
-
MD5
bd30ec141ad6b1a53687a506a9d2c6ba
-
SHA1
5f208c4a9bf24afc04cd16f9bde551f8c3e263cf
-
SHA256
b50a1691c0ad8fb66892fe2d3ff8702f02c874b2b1df6445dc4d0eef4dbf95f7
-
SHA512
75428ecaa22c0d995991230355a34a06da2a6c6cb2e984241d81e4507c9069ecb0542c7a7441fa5ba857353a6c747c63f99c484887d43a9fc93441287238169d
-
SSDEEP
6144:wKjBzsuDVxMf3lyUqqLSwAohoRa3wu5z469o0/ZXbYslo:RNsGVwz9A3RXh011lo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 900 keit.exe -
Loads dropped DLL 2 IoCs
pid Process 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Isawcu\\keit.exe" keit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1292 set thread context of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe 900 keit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe Token: SeSecurityPrivilege 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe Token: SeSecurityPrivilege 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 900 keit.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1292 wrote to memory of 900 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 29 PID 1292 wrote to memory of 900 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 29 PID 1292 wrote to memory of 900 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 29 PID 1292 wrote to memory of 900 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 29 PID 900 wrote to memory of 1112 900 keit.exe 18 PID 900 wrote to memory of 1112 900 keit.exe 18 PID 900 wrote to memory of 1112 900 keit.exe 18 PID 900 wrote to memory of 1112 900 keit.exe 18 PID 900 wrote to memory of 1112 900 keit.exe 18 PID 900 wrote to memory of 1180 900 keit.exe 19 PID 900 wrote to memory of 1180 900 keit.exe 19 PID 900 wrote to memory of 1180 900 keit.exe 19 PID 900 wrote to memory of 1180 900 keit.exe 19 PID 900 wrote to memory of 1180 900 keit.exe 19 PID 900 wrote to memory of 1208 900 keit.exe 20 PID 900 wrote to memory of 1208 900 keit.exe 20 PID 900 wrote to memory of 1208 900 keit.exe 20 PID 900 wrote to memory of 1208 900 keit.exe 20 PID 900 wrote to memory of 1208 900 keit.exe 20 PID 900 wrote to memory of 1688 900 keit.exe 24 PID 900 wrote to memory of 1688 900 keit.exe 24 PID 900 wrote to memory of 1688 900 keit.exe 24 PID 900 wrote to memory of 1688 900 keit.exe 24 PID 900 wrote to memory of 1688 900 keit.exe 24 PID 900 wrote to memory of 1292 900 keit.exe 28 PID 900 wrote to memory of 1292 900 keit.exe 28 PID 900 wrote to memory of 1292 900 keit.exe 28 PID 900 wrote to memory of 1292 900 keit.exe 28 PID 900 wrote to memory of 1292 900 keit.exe 28 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30 PID 1292 wrote to memory of 2772 1292 bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe 30
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd30ec141ad6b1a53687a506a9d2c6ba_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Roaming\Isawcu\keit.exe"C:\Users\Admin\AppData\Roaming\Isawcu\keit.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6fef8c6d.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5b27fa2711ef3a7aef503e95f842e8518
SHA100efc8037d40245d7ac38e5e677045edd06e15af
SHA256843837f1dcf0ecd610d68800d49fc31283f1d4d0cc339d9da19af032e8e684e2
SHA512157013cf5b201df893a7d009ef928e96bf56c1eb46752c5443cec2a74e9ec8756a277a803b94b94fa65fe1cf3b90f5cea857fc7e20c9e29dfc2a289c3aa13bb3
-
Filesize
380B
MD5c4881313d2a4ed2a57e049139045db2c
SHA197bcada1e363d38eed639b7032f74c1053b921da
SHA2569f861ef24ef8198257290ee58ff5eabfeb158a647f19c16945627e57938bf69e
SHA5129ad7c7e657a063b7ad8f4caa6c0f32b42b19fcc85635db48232432b94cec8be5f802bc0614239732fd05f21e504135b19f5693b8f073b161aece214c897ab4a1
-
Filesize
288KB
MD5b69760c890757518647dd15a71a307a6
SHA179e9e17195004a381685ab35b2853c9a0467ed62
SHA2561e6a68a64404cc959b3c64bc51989d10388add877571b43dde67a6f9e100f1b5
SHA51275f0a2d6b4dc7db2f77768e9daecf9a8f4865cbc5d8eba40c6c5641ca466e1f357b679034d89dc1170fd5048eb951f62b89b55af698eeb0061d7921527e2b60c