Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe
-
Size
728KB
-
MD5
c93f5d0f19caaccf3d1450ea21b5a723
-
SHA1
3b884f7eacbaedbe82bc9eb6ad906fe849bccced
-
SHA256
1d05504995ed7193b9998fba7a28d961f5709ba8a202b2fd78008edff672ac90
-
SHA512
e8c9d321a7d04a1f28d349dc673c3123f35662746c2dc00ca2975fea9e4e55b3809615e072959c5bf3eb36fa6301adab4a9234a967bdc68263a66c3989250f04
-
SSDEEP
12288:lEcF8D2K53tGcAOYYsLN2Z8bbX3/meGDgGeItoEc9GspWZhASRXHYnrm1:lEc8H5fMLN2Kb73rGlFtov9GsqRXHYr2
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2080 netsh.exe 2732 netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1728 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1728 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1728 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1728 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 30 PID 2044 wrote to memory of 2516 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 32 PID 2044 wrote to memory of 2516 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 32 PID 2044 wrote to memory of 2516 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 32 PID 2044 wrote to memory of 2516 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 32 PID 2044 wrote to memory of 1872 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 34 PID 2044 wrote to memory of 1872 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 34 PID 2044 wrote to memory of 1872 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 34 PID 2044 wrote to memory of 1872 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 34 PID 1872 wrote to memory of 2080 1872 cmd.exe 36 PID 1872 wrote to memory of 2080 1872 cmd.exe 36 PID 1872 wrote to memory of 2080 1872 cmd.exe 36 PID 1872 wrote to memory of 2080 1872 cmd.exe 36 PID 2044 wrote to memory of 2204 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 37 PID 2044 wrote to memory of 2204 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 37 PID 2044 wrote to memory of 2204 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 37 PID 2044 wrote to memory of 2204 2044 c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe 37 PID 2204 wrote to memory of 2732 2204 cmd.exe 39 PID 2204 wrote to memory of 2732 2204 cmd.exe 39 PID 2204 wrote to memory of 2732 2204 cmd.exe 39 PID 2204 wrote to memory of 2732 2204 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c93f5d0f19caaccf3d1450ea21b5a723_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD5314d18e3f2e3052a4d232992ad89c32e
SHA1d30bbb99cb2cff88138776cef1c896e99dfc984d
SHA256a71031ac4729ed41b345e633b29ce7115c0e1ab3da5203c6e42753105d7c0171
SHA512d1267f14fca001fd49628d536440a5900312dc0e739321fe9ff9c17c6b87cc45d654ee54e095c08dc7ed8f70c2c2d12fc919656ac0324c35c3e0f70a5c90926b