Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe
-
Size
728KB
-
MD5
c2ae87ddfa5a6236414d17172bb42eeb
-
SHA1
a185edaad14dcd4d95a093a62f424b0f171a6007
-
SHA256
f4eb3c7888cdefb3fc37f60769960551af31285b376281c6d9ebbdc011139cea
-
SHA512
0d1e6af9be85dc40d0bf336869b483c7e7a454b047c7aedc5b4f639e7f49246fdad55f429548e5170d628f8df9e8067f20bdd177c7187ccdd0edce2dd1b69323
-
SSDEEP
12288:lEcF8D2K53tGcAOYYsLN2Z8bbXD/meGDgGeItoEc9GspWZhASRXHYnrmO:lEc8H5fMLN2Kb7DrGlFtov9GsqRXHYrt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2488 netsh.exe 2836 netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 900 wrote to memory of 2348 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 30 PID 900 wrote to memory of 2348 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 30 PID 900 wrote to memory of 2348 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 30 PID 900 wrote to memory of 2348 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 30 PID 900 wrote to memory of 1520 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 32 PID 900 wrote to memory of 1520 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 32 PID 900 wrote to memory of 1520 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 32 PID 900 wrote to memory of 1520 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 32 PID 900 wrote to memory of 2568 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 34 PID 900 wrote to memory of 2568 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 34 PID 900 wrote to memory of 2568 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 34 PID 900 wrote to memory of 2568 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 34 PID 2568 wrote to memory of 2488 2568 cmd.exe 36 PID 2568 wrote to memory of 2488 2568 cmd.exe 36 PID 2568 wrote to memory of 2488 2568 cmd.exe 36 PID 2568 wrote to memory of 2488 2568 cmd.exe 36 PID 900 wrote to memory of 2808 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 37 PID 900 wrote to memory of 2808 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 37 PID 900 wrote to memory of 2808 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 37 PID 900 wrote to memory of 2808 900 c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe 37 PID 2808 wrote to memory of 2836 2808 cmd.exe 39 PID 2808 wrote to memory of 2836 2808 cmd.exe 39 PID 2808 wrote to memory of 2836 2808 cmd.exe 39 PID 2808 wrote to memory of 2836 2808 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c2ae87ddfa5a6236414d17172bb42eeb_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD5e1098470152dc10fb29b3ad7b4e5f5cf
SHA1ae5a796340be8f0912d6c85f81dce21211aaaf15
SHA2563832d19f80a84069c5010266fa3cf11eee5bb1c3d1b2ba278e49519519561b8a
SHA5120ba3a53a3021be99aaf5cf8af54f214feea0f80f112a7ffb209b4c2c0539f8b8b6cd087ba7ed6501c9b79e0a9496494e471ac43f9b7f0aacf58866c01e90e7c6