Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe
-
Size
477KB
-
MD5
d3fa291174e309fa1ea320dc1c642d12
-
SHA1
6d499b7238e802949a3ebda53721d3ae41a68794
-
SHA256
213b26ae2636e5fdfebcae7723fab4d523de2406155e198f299eb8edbfe58581
-
SHA512
5b800301578a975635cd374b7d2fc89e887ff856291c3512e7c7e8536e0dafe65ee6293192b4cc9a5ed50de96b277f9de73c16e69d815f9d0b561357b1acd7e4
-
SSDEEP
12288:FsvU983wtVMtIaMjY6r+kRkBb63vd1Mp8upU5ks4FW:FF2wsOt+w2Y1Mp8ul4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2764 T3K9ZAW7.exe 2680 wot.exe 2068 xot.exe -
Loads dropped DLL 10 IoCs
pid Process 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 2348 rundll32.exe 2348 rundll32.exe 2348 rundll32.exe 2348 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jhozajele = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mspror.dll\",Startup" rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\physicaldrive0 wot.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T3K9ZAW7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 T3K9ZAW7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2680 wot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2764 T3K9ZAW7.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2764 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2764 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2764 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2764 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2680 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 31 PID 2260 wrote to memory of 2680 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 31 PID 2260 wrote to memory of 2680 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 31 PID 2260 wrote to memory of 2680 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 31 PID 2260 wrote to memory of 2068 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 32 PID 2260 wrote to memory of 2068 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 32 PID 2260 wrote to memory of 2068 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 32 PID 2260 wrote to memory of 2068 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 32 PID 2260 wrote to memory of 2568 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 33 PID 2260 wrote to memory of 2568 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 33 PID 2260 wrote to memory of 2568 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 33 PID 2260 wrote to memory of 2568 2260 d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe 33 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34 PID 2068 wrote to memory of 2348 2068 xot.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\T3K9ZAW7.exeT3K9ZAW7.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Users\Admin\wot.exewot.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\xot.exexot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\mspror.dll",Startup3⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del d3fa291174e309fa1ea320dc1c642d12_JaffaCakes118.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD5b830953856e06807f6419663f6d05cc6
SHA11985aa83dbcaad52a6098a7bffcd8688f0d203aa
SHA256ed89baf97368e00ae45aa798fda02ed521557898bd6c9c50b2b98a035dceb81e
SHA5126553f322de9e87e3bff14a08c500b69aa2ce3a0946e25bf9464c7d7dca22d96ef2da2fe00ed86e2d687a9f8f4345ab5189130a7c95606275df19d2f9169b354b
-
Filesize
140KB
MD513af4de26b3ee9d02e8dd721f6b81fe9
SHA16036d52a71cc9a5f176db6d40cdea0e8d1b023ce
SHA25610301813c139bbb2f2cbc5a47a8b78989c37cf56bfcdf8cbb2fd324057a799e3
SHA51205c69348ac57578fdf81c035350ee6856ee17a72c1c1359013d5ec50430804c781753eb995870262157ba557c102285a4b012c2e53a73971213d9fdb269faa66
-
Filesize
103KB
MD5b47a4d45ef404a997dcd2f98fe4a1420
SHA1e55a876e4098a705be35e1a9c78c65a97ae5f27d
SHA2569863f46ae1d3e2f835b713e2fb32c831e27941b4cdbb11663780e2101df6289b
SHA5121f83decef10da3e7537dde84cebfd4ec2ca7dab05e3fb72237ad2d627f544d493d501822bf0927bc3cc061442cbe779cf054b87da1decc77a3b9eb6fa07ebd20
-
Filesize
175KB
MD5c9b7e9a83250faf3135bb70343030c16
SHA1f738cf9018d564ec802b684e38b54ecdf0a679f6
SHA25626d3130abf8d1f0d234e7be1f28de877d7ae871ec96f179f9d49d8156c20c1ea
SHA5122c574af59c9131a2917024f644176ca6311e6433be53d9602e4db873d01da16f9e1f4dc7952b9b667a4f8fac346037e30d5337db5cd895c13b51635c44a024c4