Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe
-
Size
72KB
-
MD5
dba1f8deb38b39cc6fb08a8633de1ee2
-
SHA1
89989411515c1e469f017b9b721f9bea302d7cd4
-
SHA256
0d300e405486d24ff5910d1f9b29f88bcb5425ac559634dcbaed6e2fcfeba551
-
SHA512
3cee0ef1f7636b74f2450b0678a03ad3d63f29460a48b41270e6aa4fde7d1eb2c19e831b1e0d3dbbad48d99cbe7d67bf0d65b9ca071871dc03f72cf209252138
-
SSDEEP
1536:iFBfsS24ZlDQ+j8jjE+OzUaQ+MpDS6QsQ+wQ++Q+VOZL:iFBfsSZZOrh1SlHaYIM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "file:\\\\C:\\sys.exe" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\qx1.bat dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\ie.bat dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 5 IoCs
pid Process 2524 cmd.exe 1144 cmd.exe 2112 cmd.exe 2696 cmd.exe 2732 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://hao.greenhome001.com.cn" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\NeverShowExt = "1" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.exe" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "Internet Explorer" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\DefaultIcon dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open\command dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\shell dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.exe http://hao.greenhome001.com.cn" dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2524 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 30 PID 1952 wrote to memory of 2524 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 30 PID 1952 wrote to memory of 2524 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 30 PID 1952 wrote to memory of 2524 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 30 PID 2524 wrote to memory of 2188 2524 cmd.exe 32 PID 2524 wrote to memory of 2188 2524 cmd.exe 32 PID 2524 wrote to memory of 2188 2524 cmd.exe 32 PID 2524 wrote to memory of 2188 2524 cmd.exe 32 PID 1952 wrote to memory of 1144 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 33 PID 1952 wrote to memory of 1144 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 33 PID 1952 wrote to memory of 1144 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 33 PID 1952 wrote to memory of 1144 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 33 PID 1144 wrote to memory of 1976 1144 cmd.exe 35 PID 1144 wrote to memory of 1976 1144 cmd.exe 35 PID 1144 wrote to memory of 1976 1144 cmd.exe 35 PID 1144 wrote to memory of 1976 1144 cmd.exe 35 PID 1952 wrote to memory of 2112 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 36 PID 1952 wrote to memory of 2112 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 36 PID 1952 wrote to memory of 2112 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 36 PID 1952 wrote to memory of 2112 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 36 PID 2112 wrote to memory of 2784 2112 cmd.exe 38 PID 2112 wrote to memory of 2784 2112 cmd.exe 38 PID 2112 wrote to memory of 2784 2112 cmd.exe 38 PID 2112 wrote to memory of 2784 2112 cmd.exe 38 PID 1952 wrote to memory of 2696 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 39 PID 1952 wrote to memory of 2696 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 39 PID 1952 wrote to memory of 2696 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 39 PID 1952 wrote to memory of 2696 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 39 PID 2696 wrote to memory of 2176 2696 cmd.exe 41 PID 2696 wrote to memory of 2176 2696 cmd.exe 41 PID 2696 wrote to memory of 2176 2696 cmd.exe 41 PID 2696 wrote to memory of 2176 2696 cmd.exe 41 PID 1952 wrote to memory of 2732 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 42 PID 1952 wrote to memory of 2732 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 42 PID 1952 wrote to memory of 2732 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 42 PID 1952 wrote to memory of 2732 1952 dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe 42 PID 2732 wrote to memory of 2872 2732 cmd.exe 44 PID 2732 wrote to memory of 2872 2732 cmd.exe 44 PID 2732 wrote to memory of 2872 2732 cmd.exe 44 PID 2732 wrote to memory of 2872 2732 cmd.exe 44 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 2176 attrib.exe 2872 attrib.exe 2188 attrib.exe 1976 attrib.exe 2784 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dba1f8deb38b39cc6fb08a8633de1ee2_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2872
-
-