Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 22:13
Static task
static1
Behavioral task
behavioral1
Sample
d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe
-
Size
285KB
-
MD5
d08d38f7c1f0b8274d2df4d6005c9cd7
-
SHA1
976f3b6b6fef5fdd82cbc9c10c743b310196000d
-
SHA256
ca08ebe87319833c7ea87b1618c7e6c11a8c701b0f14256d618c116ee83d90a7
-
SHA512
c3954f197603bf21e886a1b53be7249c3c5f24464172a0f3c842721b1db628fd276ab1e22d3d1819a3f1d5cc36371c8b9a7e58581867636538597cbe88ac0336
-
SSDEEP
6144:q31JYTtoMLh+3p26R+7O1ysus4rGLZDPb9fU2Zum:2wcp2WuvyZDPxfU2ZZ
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2176 868E.tmp -
Loads dropped DLL 2 IoCs
pid Process 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2268-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2268-11-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/896-15-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2268-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/896-16-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2268-120-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/568-122-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2268-305-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2268-309-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95C.exe = "C:\\Program Files (x86)\\LP\\1A34\\95C.exe" d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\1A34\95C.exe d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\1A34\95C.exe d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\1A34\868E.tmp d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868E.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1740 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2704 msiexec.exe Token: SeTakeOwnershipPrivilege 2704 msiexec.exe Token: SeSecurityPrivilege 2704 msiexec.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe Token: SeShutdownPrivilege 1740 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2268 wrote to memory of 896 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 31 PID 2268 wrote to memory of 896 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 31 PID 2268 wrote to memory of 896 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 31 PID 2268 wrote to memory of 896 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 31 PID 2268 wrote to memory of 568 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 33 PID 2268 wrote to memory of 568 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 33 PID 2268 wrote to memory of 568 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 33 PID 2268 wrote to memory of 568 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 33 PID 2268 wrote to memory of 2176 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2176 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2176 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2176 2268 d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\48457\7D81A.exe%C:\Users\Admin\AppData\Roaming\484572⤵PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d08d38f7c1f0b8274d2df4d6005c9cd7_JaffaCakes118.exe startC:\Program Files (x86)\576F8\lvvm.exe%C:\Program Files (x86)\576F82⤵PID:568
-
-
C:\Program Files (x86)\LP\1A34\868E.tmp"C:\Program Files (x86)\LP\1A34\868E.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5f40fdfa5adbdd292d6b3df015b422290
SHA15f3d8ffce54eb7927b180c080a4f0da46ed7441a
SHA256bb5e037cff006e8a67ebb6e839817536d081a3f806862d90cdff66c73f9a4160
SHA5121aab4e56449fcc7f6799932feeaf98f6ef0f5cc02fa925b0113b5032a2fbafcdcb103064986eb31f91d8d4d8bf10552601812e19982ace294bc96fd8270b5b1f
-
Filesize
600B
MD5dcd51a0434db5e21e6faac7e3a83c8cf
SHA112348bc1fcf481383ee161c6ec6cb7f4f745451d
SHA2564982753263198dd92fd42237a1040a043cd2fb1ef91822b7dd23f9553e6e4dbb
SHA512716e531eba8423d45caf2734e6d10df2e6e217800dd73a5df6f8aaafb6ad158d080f842b2fde6626785c79e9d8dd952e9ae573fa21f71ccbf4a0b3b8da935b39
-
Filesize
1KB
MD5783492dcc62ec5b7ba83ab44eddd3bd3
SHA18c2838c46425fa324a242f3eacb94c59e5b041f4
SHA256ffe72ffadf7c464fdb7b54cc2fb7fab3dfd295d0af9d4141295b8e45459e5265
SHA5122066004fe4971e985615a6703f12c069a1a68f1424d6f28d629eb2b2c114bb6ad4ea2a360dcb5c4c96416efca9cc72e488b0d1fee959f54edaa11378ec8aac19
-
Filesize
300B
MD5534f026328614736c233df4a57f00117
SHA154e1bea297ffed3a254ba29be4fb85dba6c34663
SHA256896b1a4e0cf436f3fe2c4d84b63a3092f87db0874463956c99635f7354616649
SHA512e325f1571cb9f78382c0813c51146b48e547be2c62c8eb5c2c12af783418b5489b5fbd0ed60999e8b540e5ab325493eb29ffa56193464cf4cf4eb692d8436e3d
-
Filesize
101KB
MD5d05e213f1756ab068c1d0c2ff369f13f
SHA1d4fd2de345b7cd63a60f74529cef21c2ef1ddd02
SHA256e66de59c866eb7d4576a153630b056450c79ca0a1063c09e3f46223c144d4db7
SHA512f713d260921e07b8521de257548630439375f574e2fc68bec305809e80df6d70a1674642e94572aecd6e3692a64587f3e9e5f3506ea6dadfd9cc46aa3f7e8422