Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
d6747ef2806d3c0a17f91fb48c8133b8_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6747ef2806d3c0a17f91fb48c8133b8_JaffaCakes118.html
Resource
win10v2004-20240802-en
General
-
Target
d6747ef2806d3c0a17f91fb48c8133b8_JaffaCakes118.html
-
Size
122KB
-
MD5
d6747ef2806d3c0a17f91fb48c8133b8
-
SHA1
4e4163ce543e1f70cae447b23499da5a79988fa8
-
SHA256
e0d7fd6ff09cb0c1ab015f83a3106a506a282e84810b7ef7b8c186f3b0cbcff8
-
SHA512
c3553791807019830fe58a0f9282c4347f772a28a3598d46c074ea162f8aa641b6455bfeca3af43e5c8c926cc27ed42b78035b56205e7eec1bcfa6064f0687b1
-
SSDEEP
1536:S0aeTyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGL:S0HTyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2740 svchost.exe 2864 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2768 IEXPLORE.EXE 2740 svchost.exe -
resource yara_rule behavioral1/memory/2740-6-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x0006000000018cf2-8.dat upx behavioral1/memory/2740-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2864-18-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2864-20-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px7704.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{690A70E1-6EB3-11EF-B0DA-FA59FB4FA467} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000e0b8c836c92c1201f9916aa338a824daa00adf09d442d9655e7d4cb8998148dd000000000e800000000200002000000051dc27258da1047d32dd9c55862249e9173c567169e9cd358c2bb1dc5c69086a200000002084925d84e0e0a18a02b2b763faa00cf6ad61bbe2c3b51d2b2a41c18fe9f175400000000650537e61fa8a852bb0ace60df67941d46aae7b644f84003e93fc5c83383a7e9a5733b186a38f594a5f5946aa745c0a7823431cf58b9288c0f224fa20d40ce2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6031b640c002db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432052102" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000006a699a083c268c734d2bf725a6c9923964ec69d4291b21fdd715a2e83e154e6a000000000e80000000020000200000004ff70ffd7cd6e68302ac81e8dc757fae4b8afc044c36984fb24484832b49f5c390000000b09bed655437adba1cfed11f47035937cb338f21a07b5f6a0fcc6881e88b333a34e79823f60deb431e27523728b9f834a0effa545b417a0bd7542ada0df6deea1e0d9a090dae6d3f60e2097b04d0015ea19df47fd93caa0d8e384aefeee18094e5de35e0a2d1c60c729cd43895a7b22f4d0ce17f18f842ff9d2688f48ff4e795f33d3969793d34a796f58ef547393fc4400000009fdbf244a7207af16ffd163b3d66ec03f8877c873c0fd9060d7bb0b4f42fd6d20f88eb9fd7a00794c6f05b86a4c211881b7a0688ef8701cbda22fc7010a1a9b9 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2864 DesktopLayer.exe 2864 DesktopLayer.exe 2864 DesktopLayer.exe 2864 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2160 iexplore.exe 2160 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2160 iexplore.exe 2160 iexplore.exe 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2160 iexplore.exe 2160 iexplore.exe 2712 IEXPLORE.EXE 2712 IEXPLORE.EXE 2712 IEXPLORE.EXE 2712 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2768 2160 iexplore.exe 29 PID 2160 wrote to memory of 2768 2160 iexplore.exe 29 PID 2160 wrote to memory of 2768 2160 iexplore.exe 29 PID 2160 wrote to memory of 2768 2160 iexplore.exe 29 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 30 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 30 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 30 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 30 PID 2740 wrote to memory of 2864 2740 svchost.exe 31 PID 2740 wrote to memory of 2864 2740 svchost.exe 31 PID 2740 wrote to memory of 2864 2740 svchost.exe 31 PID 2740 wrote to memory of 2864 2740 svchost.exe 31 PID 2864 wrote to memory of 2640 2864 DesktopLayer.exe 32 PID 2864 wrote to memory of 2640 2864 DesktopLayer.exe 32 PID 2864 wrote to memory of 2640 2864 DesktopLayer.exe 32 PID 2864 wrote to memory of 2640 2864 DesktopLayer.exe 32 PID 2160 wrote to memory of 2712 2160 iexplore.exe 33 PID 2160 wrote to memory of 2712 2160 iexplore.exe 33 PID 2160 wrote to memory of 2712 2160 iexplore.exe 33 PID 2160 wrote to memory of 2712 2160 iexplore.exe 33
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\d6747ef2806d3c0a17f91fb48c8133b8_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2640
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:209930 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e94976fdc5d34e27f6a6f725e17d4ea
SHA1e60490925d905499b3fbdfc9faf0a98c15aacae1
SHA256eaa72bf693d965c7f6880ada9b642b75ad7360615058f13aae2acbf1dd2e9415
SHA512ae68d3a993b4afe1854d38ded77f90b4db21a5041bf94632a680b3a10eca4d6d55506f55873b039f8d54f7cf8c80a63e14cc98b9d788cf03c607e5c2179afecb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51be38b3a805ada15512a9677debfd670
SHA1dae13c35b51fba5a43e13ff5581d9e5ffe6963d5
SHA256280c648d4029ae2c7085961fff8d48a08f3ba024ff2d80b7c5ee96d14419767d
SHA512ccf4601ea82295dd66e75e24edf4dd916760459a12f98cd77179c7829e8eab80bf494138ed7a0935da2f9a9cf3250d2019bcf195cc7534b2a442eb443f9aee1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b9d3a43be8ef6e8d0c3de32e5388222
SHA102ccd17b056099cce02de811b1f83168a29b1f71
SHA256e822aa456580df0179433b1ad2b68d21d72d1672ba953d0799601aa0ff957c11
SHA51210c75ab8019a1ca55d86a5b15be51e16f106da395e75953611dc1994d184d724a334534e262691c5361b349424c3d9c619e35a49cb5b112cfa5b663d99187a14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ede59b6e048df78d5cebf434ea016f8
SHA199a6eb1fe3a93fea5615ffda429c4dd0db28d8f1
SHA256fc877a7bfccee1ff1f958609afa54772cd778f113aab000cc903ce77017428d1
SHA5128db27561d3c550a3a1da4fd0c1624745050f4b53eee1935030a3f19ec6fe19edf80609645953764a473c0d4bdd9f53c9aeda84a3ce36d0485f7216a71f2871ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c482a4430fe7185ffc07e2483b87d906
SHA1cdefb639570eb1dfd20555d2178cea10b7055d55
SHA2567506e6da2b1e2bd475cc3877fa15fe091dac917ab39c32661839b717f0583fda
SHA5128a2fa0ec2c7f85452c11dd6a07b6a23874c1e89287f2e93230d5c398895840f7fbf642458115fe09eb4d80b7ba6cb70d54e2c57ddce472af39e4ccfa78a8d917
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc5f6e2c31c3964804301c60e72871e6
SHA14186a637581d441d207fc0eaca381cd7aee5c903
SHA256636507020d17abe1cf81fc46a839191c44c3ad34e66fbc27c7a8d4ab1a7d8e3a
SHA5122dd445804c8fb89613ad5372c1cf2bd17c5f6d87de39291654c402ed0fb8c266b1638013f1b1759cde4cef4f4b28a4d4f0c42b04eb5793828fcd3558eec53f92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579d362ca0e4988c0f86c2086a5a5500e
SHA1592b3ce39072323c4d30f299279f252514195d90
SHA2568e25cda5dfce205fa7e1c22a92e27c3464df84aabc695feb21725aff1912e71b
SHA51203f4365d1dad245b1f38e3efbf2b37a1fce835a4e434d1ea9c91865664d2e31f5c89c28535c4645da406e7d2e8441d95ebe806839538dd6025e17a4cbafabde1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52fdde795ce7e8a013a8cb23969e65b7b
SHA12933c5f90241194217a6f251a53dbed9963e73ab
SHA256780808a4a74c3344ffaeed179d89a498a79c000654801d8b8af7cd599702135f
SHA51202c016c4ddb8091cbf1e5830002ae8f2e313aae91074919b688e4006888763fdef3a1cc1b16c4480bfc9bdc0c68df8de0dc01bc5a7c4dd324dbeef80ca943881
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56049dcf825b7af488139dd24057d2214
SHA10d09a3d0d81475f17b25dedd4b0421d80caa5737
SHA2562d3af326f46a579cef29689124251300119650343d988b902bf9026141f34ee6
SHA512f67056fd06acbc607d822b17ec4d6fd588f994cba6f07dfb366f742632f0f8140c1f033d196f2f435dbcdfb96f7dc0c03f68f3bc0e368a52d371c172e000a44e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a