Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe
-
Size
312KB
-
MD5
d43701b37ba732f2ff5ed08383661328
-
SHA1
981263e5607f5e19feca498267cfbd8356d12433
-
SHA256
efe89e4ae67a1a92284e29fcccf29b4c58aa947a9c38005410a9fcaafa5e1a63
-
SHA512
8dc2e6681bcd1de5f06964f080f4812e57126f0dfdaf13941a25eb56a60ef66ef20a8e80dbcd152e120c13e304251b7e3901238265d68c820b45b0c2bbb23c3d
-
SSDEEP
6144:zyOuBlo8dCyd1dUhAE74jvaG66xegV+/mJC63WIOP+tN1JB5fnKf:zsdjaUq6QgV+OvSPG175fKf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2012 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2436 kiod.exe -
Loads dropped DLL 2 IoCs
pid Process 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D95BC468-3C80-AD4F-F4E3-EFE6C1B1CCFB} = "C:\\Users\\Admin\\AppData\\Roaming\\Sago\\kiod.exe" kiod.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3052 set thread context of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe 2436 kiod.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 2436 kiod.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2436 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 30 PID 3052 wrote to memory of 2436 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 30 PID 3052 wrote to memory of 2436 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 30 PID 3052 wrote to memory of 2436 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 30 PID 2436 wrote to memory of 1112 2436 kiod.exe 19 PID 2436 wrote to memory of 1112 2436 kiod.exe 19 PID 2436 wrote to memory of 1112 2436 kiod.exe 19 PID 2436 wrote to memory of 1112 2436 kiod.exe 19 PID 2436 wrote to memory of 1112 2436 kiod.exe 19 PID 2436 wrote to memory of 1156 2436 kiod.exe 20 PID 2436 wrote to memory of 1156 2436 kiod.exe 20 PID 2436 wrote to memory of 1156 2436 kiod.exe 20 PID 2436 wrote to memory of 1156 2436 kiod.exe 20 PID 2436 wrote to memory of 1156 2436 kiod.exe 20 PID 2436 wrote to memory of 1192 2436 kiod.exe 21 PID 2436 wrote to memory of 1192 2436 kiod.exe 21 PID 2436 wrote to memory of 1192 2436 kiod.exe 21 PID 2436 wrote to memory of 1192 2436 kiod.exe 21 PID 2436 wrote to memory of 1192 2436 kiod.exe 21 PID 2436 wrote to memory of 1600 2436 kiod.exe 25 PID 2436 wrote to memory of 1600 2436 kiod.exe 25 PID 2436 wrote to memory of 1600 2436 kiod.exe 25 PID 2436 wrote to memory of 1600 2436 kiod.exe 25 PID 2436 wrote to memory of 1600 2436 kiod.exe 25 PID 2436 wrote to memory of 2296 2436 kiod.exe 28 PID 2436 wrote to memory of 2296 2436 kiod.exe 28 PID 2436 wrote to memory of 2296 2436 kiod.exe 28 PID 2436 wrote to memory of 3052 2436 kiod.exe 29 PID 2436 wrote to memory of 3052 2436 kiod.exe 29 PID 2436 wrote to memory of 3052 2436 kiod.exe 29 PID 2436 wrote to memory of 3052 2436 kiod.exe 29 PID 2436 wrote to memory of 3052 2436 kiod.exe 29 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2012 3052 d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d43701b37ba732f2ff5ed08383661328_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Roaming\Sago\kiod.exe"C:\Users\Admin\AppData\Roaming\Sago\kiod.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb369c37d.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\4183940270\zmstage.exeC:\Users\Admin\AppData\Local\Temp\4183940270\zmstage.exe1⤵PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD58edd545fc036a90b9631bab7f9ef1716
SHA112500228ae84f3c24b6a3a12fb17ff16607be39f
SHA256e236964c3b0785a95453d25c25fcf7fbe7c181b6e91262783a6265f3cd14e9aa
SHA512b6536e8a17782e28ecfb61ee01a3db47016d3abff681fc46ac06b89736cbab8dc85f31715bd607f8c4ceb2722c010a19cf8af35c9f54b981db630df955aafbb4
-
Filesize
312KB
MD5beca8f129ec8467d17c72dbb9665878d
SHA17f2819fcaa0d06f1768bdfcbbbee2145dbf0fe8f
SHA256e7a60dcffb640a96f35960396e7746191864c7465a17d305524c9371cf75dde6
SHA512f24ba93c58999d42506f7af06d084b10393a77837c7a57bd798ae0b7bf592d4ded2848bd540a7a4c57d194062724f8c2e53bfff7306607c1d6cc8a85c0545383