Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
becbe4f5100b858411dcb51e5719529d
-
SHA1
553c284d440a34fda1cc3772c98639267002c7a4
-
SHA256
7fdaabb625a6180627b307a4f8d533c2eeceef480157c7067849cf20b09fddea
-
SHA512
93c6d25789b7c9d26e5a191569d88cefe5c02f868a6088c2d1ec6d8ddd0643372ab25affaecfa6dc5406addf228d858d92fccbf5f487d2e03d312284423fe679
-
SSDEEP
49152:LV9yIArXjY4LjAs/p98gieBhDiY6Vt9TRAia2H1:n2jDLn/p8CwXVSia2V
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AeroAdmin becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2076 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 2076 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2076 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 2076 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2076 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 31 PID 1448 wrote to memory of 2076 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 31 PID 1448 wrote to memory of 2076 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 31 PID 1448 wrote to memory of 2076 1448 becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2136
-
C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe" s -sid 11⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\becbe4f5100b858411dcb51e5719529d_JaffaCakes118.exe a2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68B
MD5aaa954b723eb50223afa71436daf15ed
SHA1838b1ab1aaf2ddf736bd639f75d683fbe99c7f30
SHA256bc49dda35b98b68f76de02d357ad0486fffd5609f7c2c8b1af318df2da688e5e
SHA512825de193ddec9c1c483bd4789a22a3fdf192d16161b3a3b5ee2c30b08b4468a50395ab126ee05fd664bdcf9ea0c3f152015687e56b274079865c2c1af94e12b6
-
Filesize
114B
MD55e69a737174f60d0e30e154675974ac8
SHA12a67a203e2e7e9a25288c23d46fdd686b7f8d551
SHA256af31d9f01458c40e1a75be01529abcf236cc7fd1783af98afc32125a131c66eb
SHA512fe97e9724e8ed9aba112ec5ca7b444e0fb8ca5f329a63b4e57964099c367db8d1c6b192685441118e9da210cd9fde37412ceaafe1a8f776948cbc479c7b9b814
-
Filesize
657B
MD5dc1de55ff9a76ee24f6cdbe2d28d8a37
SHA1d044cc6a20e71c39d779a8890b2da1a26a769ed1
SHA25676bf7e29e288d4313c2be083b548b9f6c516dd008c37c46f1a6ce0f4632afc48
SHA5129eaf117fca45fdbb01345637cf10115fa6516fb04ab3bd2680ebff0e8b8268a2ac8529bba0ca80ca67f280fe4182e602a5693f84a349957bff217ff9edad9808