Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe
-
Size
548KB
-
MD5
cea2d53f3741c750f8da141ce3044b9c
-
SHA1
e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399
-
SHA256
059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3
-
SHA512
36067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615
-
SSDEEP
12288:e9dVKCxkIgeqXqXBb9P3BpcLLWW7HMwBIMQxlskGljE3af6EJ:yXKCFgeCqXBN3MswjQxkJ
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Against Down.lnk cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 PairBusy.exe 2772 PairBusy.exe -
Loads dropped DLL 3 IoCs
pid Process 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 2176 PairBusy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2176 set thread context of 2772 2176 PairBusy.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PairBusy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PairBusy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2176 PairBusy.exe 2176 PairBusy.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2772 PairBusy.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe Token: SeDebugPrivilege 2176 PairBusy.exe Token: SeDebugPrivilege 2772 PairBusy.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2636 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2772 PairBusy.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2176 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 31 PID 1952 wrote to memory of 2176 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 31 PID 1952 wrote to memory of 2176 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 31 PID 1952 wrote to memory of 2176 1952 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 31 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32 PID 2176 wrote to memory of 2772 2176 PairBusy.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
9KB
MD563e0efcc12f3b2ebddb6ab9d342d4a23
SHA17327ff8d23249998c3106ad6ed4d68f6190ec184
SHA256bf08b6fa8d1001c8fc4788ea960e2d52721b2b21c7c00a6253580deb8d15d38e
SHA512a461dd215b9ec807376cd2fe4388b3b43da4c849453f8a5cdfed9013dc38e55dabeb4f0eb7ab16a52d85adcda7fe9f2c00fa6cca67ec088483b8ec77be7f510c
-
Filesize
1KB
MD5b39eb0e58134bbaf99a68f218f6f0ccd
SHA13c1326831ec4d4862638f8930c39309b60546e5a
SHA256492bc12f171d1267dd10686deb3243b494fba8a62c1cb652b3c7958c84188fab
SHA5124732a4704d369973eeee94b0458dfe4d0152f7bb4e79b9aca5fde3cdac20404f906275d61cb5469656b0200ab5a411676cd3cf09a6ee41ac7ea0324ea6c23cbb
-
Filesize
548KB
MD5cea2d53f3741c750f8da141ce3044b9c
SHA1e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399
SHA256059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3
SHA51236067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615