Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe
-
Size
332KB
-
MD5
d9cf57a7c2e8430bd4224d594d6af42d
-
SHA1
49e4045518eaf43993e20417c957f6a46e9e7b02
-
SHA256
ba251654fa02a35fd14bdf741e3e9bb6e16b19ef66a4ad9c8220a18598b05fcb
-
SHA512
7f49c0fcc2de5aa845866b9ccc79d192276c0de2e35e703fd3b248ffb543571cfd58d3fa7912e638da8d346fa10a3752e41a1eacf1e9fcddf3e38fdf7c7a3695
-
SSDEEP
6144:/Y5Ix+fkSpcmwSUjT9jCu9UOem7HQKoZufpU:/YP7pdwSK9Z9/xEZopU
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2428 yrp.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 yrp.exe -
Loads dropped DLL 1 IoCs
pid Process 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\DefaultIcon yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\ = "Application" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\Content Type = "application/x-msdownload" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\DefaultIcon\ = "%1" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\yrp.exe\" -a \"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" yrp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" yrp.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrp.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\yrp.exe\" -a \"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\Content Type = "application/x-msdownload" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\Content Type = "application/x-msdownload" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\DefaultIcon\ = "%1" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" yrp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\start\command yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\DefaultIcon yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\DefaultIcon\ = "%1" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\ = "exefile" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\open\command yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\yrp.exe\" -a \"%1\" %*" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\runas\command yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\start\command yrp.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\runas yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.exe\shell\start yrp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\ = "Application" yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\exefile\shell\open\command yrp.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 2428 yrp.exe 2428 yrp.exe 2428 yrp.exe 2428 yrp.exe 2428 yrp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2812 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe Token: SeShutdownPrivilege 2812 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2428 yrp.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2428 yrp.exe 2812 explorer.exe 2812 explorer.exe 2428 yrp.exe 2428 yrp.exe 2812 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2428 yrp.exe 2428 yrp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2428 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2428 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2428 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 30 PID 2968 wrote to memory of 2428 2968 d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\yrp.exe"C:\Users\Admin\AppData\Local\yrp.exe" -gav C:\Users\Admin\AppData\Local\Temp\d9cf57a7c2e8430bd4224d594d6af42d_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5d9cf57a7c2e8430bd4224d594d6af42d
SHA149e4045518eaf43993e20417c957f6a46e9e7b02
SHA256ba251654fa02a35fd14bdf741e3e9bb6e16b19ef66a4ad9c8220a18598b05fcb
SHA5127f49c0fcc2de5aa845866b9ccc79d192276c0de2e35e703fd3b248ffb543571cfd58d3fa7912e638da8d346fa10a3752e41a1eacf1e9fcddf3e38fdf7c7a3695