Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe
-
Size
812KB
-
MD5
c1a5c08e27d93713802cb00235447a17
-
SHA1
fd070786781da66f67b8eece92eecbfbcd04fcf3
-
SHA256
92600d35bf740272d948d67cf595ac7fdc1da5fcd4b80cc39f64871c57fb2488
-
SHA512
35555685d0290dd10d4881443f6216314465a20798761e644cb66e5cffb69dbb91030ebc54093ab8aeb10e96a8ea12381734c5f4825ebc37cc82e38a538e9c0d
-
SSDEEP
12288:6QoutGe7ZVVT7ZD3wUdm7dv88vUcYgTJwri42gmm4QB3wCbt+qQ1wqK3Xd8:6FutG2VT9T7m5v88vUWGrgmOCbtREY
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3056 ntapli.exe 2808 ntapli.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine ntapli.exe Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine ntapli.exe -
Loads dropped DLL 4 IoCs
pid Process 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 3056 ntapli.exe 3056 ntapli.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntapli.exe c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe File created C:\Windows\SysWOW64\ntaplidrv.sys c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe File created C:\Windows\SysWOW64\ntaplisdrv.sys c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3056 ntapli.exe 2808 ntapli.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntapli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntapli.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 ntapli.exe 2808 ntapli.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3056 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 29 PID 2056 wrote to memory of 3056 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 29 PID 2056 wrote to memory of 3056 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 29 PID 2056 wrote to memory of 3056 2056 c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe 29 PID 3056 wrote to memory of 2808 3056 ntapli.exe 31 PID 3056 wrote to memory of 2808 3056 ntapli.exe 31 PID 3056 wrote to memory of 2808 3056 ntapli.exe 31 PID 3056 wrote to memory of 2808 3056 ntapli.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c1a5c08e27d93713802cb00235447a17_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\ntapli.exeC:\Windows\system32\ntapli.exe2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\ntapli.exe-i3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD50cab912734c24625aed9a0b1c04a126f
SHA1271f4872c6ca96383b2fefc3d5682ddb178aacb1
SHA25608463cba39af53896bb059a864bcab32b3389b50943e1503809b15d2b8e7d8e1
SHA512eea24743e60aea3758e9ea77076cb18c39e87db4f8cf5e0359979e68878a4518754efff58214b794ed4015b460e16f305e33dbe0bc77b256ceddcc4dfffac327