Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe
-
Size
226KB
-
MD5
db52a41f01322eda894df0b1ac01db17
-
SHA1
46e1facb98b44389384e976d600e83b0cd6fb20a
-
SHA256
8ec7ac9ed472f8203d2615978cc71fc4181ee16ee649551ad5fb8f61f9ec25bd
-
SHA512
1d06ce49154f41460cbdcd021968da81a1e5359ac534b570acb844b5df672b5bf7436e2b9ab2af6d76613dd2d71dfdae1b35e5c3c2e954567564914af9d98e59
-
SSDEEP
6144:jPLAFMHYvvYamKHOXtHvgUv6tIjY0cQ0g25le:jPL/4YF9gUv6SjYDPgJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2924 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 332 csrss.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2520 set thread context of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 332 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe Token: SeDebugPrivilege 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2520 wrote to memory of 332 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 2 PID 2520 wrote to memory of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2924 2520 db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe 30 PID 332 wrote to memory of 3056 332 csrss.exe 32 PID 332 wrote to memory of 3056 332 csrss.exe 32 PID 332 wrote to memory of 860 332 csrss.exe 13
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db52a41f01322eda894df0b1ac01db17_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD563e99b675a1337db6d8430195ea3efd2
SHA11baead2bf8f433dc82f9b2c03fd65ce697a92155
SHA2566616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9
SHA512f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f
-
Filesize
2KB
MD5488986a21784c68fcc3ccb39f5072c8a
SHA1e13cf4db1e5eb30310546500d2a617edf176a248
SHA2566cfd82fc4d287f3335339a95eedfd994ad812bf8c2a5d824542a33ea87c2e8ae
SHA51299708105b81e77ab5ace448c658cb361dfce1ab681862532f04ecee58aaf2eb4deaa779bbe82c7f2a2e342ad99ae056a214254b8daa4d83c45c4053dcf1edd8d