Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 02:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe
-
Size
387KB
-
MD5
d5849dfe11450640efd7a6f78141dc76
-
SHA1
4937560a144a57aec86cc82dce65c49d8eaf52d9
-
SHA256
e189fb63b73b753b07c464f93a2ce2cdd55b93c0f678b5f1c85edb486c4cd02f
-
SHA512
d2f798c690b7e1276463e4413164a461c4f427e1e7b844604809df385fbd3d192e602ed052ef28437586586e3792a4b5651a4882dbd966ea13ce7b0c03326941
-
SSDEEP
6144:anSxOhzm7DMSB2qdDqBMYY16qXKATBSPsV2zBu/RlQiwM0i:aSxOhzmXVXqBMYY1zTs7kZuiwM0
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf\DllName = "updatenf.dll" d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf\Startup = "WinlogonStartupEvent" d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf\Asynchronous = "1" d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf\Impersonate = "0" d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\api32.dll d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\updatenf.dll d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\avwav3.dll d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe File created C:\Windows\SysWOW64\raidmg.dll d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\api.dat d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133703226664893292" Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133703226667236913" Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133703226697549505" Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133703226660465480" Process not Found -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 736 d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found Token: SeTcbPrivilege 788 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 788 wrote to memory of 2032 788 Process not Found 83 PID 788 wrote to memory of 2032 788 Process not Found 83 PID 788 wrote to memory of 2032 788 Process not Found 83 PID 788 wrote to memory of 2520 788 Process not Found 84 PID 788 wrote to memory of 2520 788 Process not Found 84 PID 788 wrote to memory of 1512 788 Process not Found 85 PID 788 wrote to memory of 1512 788 Process not Found 85 PID 788 wrote to memory of 2612 788 Process not Found 86 PID 788 wrote to memory of 2612 788 Process not Found 86 PID 788 wrote to memory of 4212 788 Process not Found 90 PID 788 wrote to memory of 4212 788 Process not Found 90 PID 788 wrote to memory of 3948 788 Process not Found 93 PID 788 wrote to memory of 3948 788 Process not Found 93 PID 788 wrote to memory of 3004 788 Process not Found 95 PID 788 wrote to memory of 3004 788 Process not Found 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d5849dfe11450640efd7a6f78141dc76_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2520
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1512
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2612
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:4212
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3948
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5c7665180dbf13e798dde715eab97380d
SHA1ffe88076cbecedef9f450a9ad9709fd761943a14
SHA256efb1ba1b9b70ba6e7ee845235b706c458000858c7955722b35541f9a13fb7c25
SHA512c4db5236de95a91aa3d7ce58ba4683c401154a5440d4c1dffcfe8672d7de1272febb4cb6362b7ed4aa4852b8e24a9badc1eb5cf0381e53a0f9aab4f9eaa8b95f