Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 13:18
Behavioral task
behavioral1
Sample
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
-
Size
124KB
-
MD5
e0433cbd5cbbcc60df0a814cc75b057b
-
SHA1
03c2fc3f3d2dc855960ed55f63b356c2db6b72d2
-
SHA256
9948310d250dacd1f19d2b80510e86dd0403146b3503abd5ef294672ecb66066
-
SHA512
2b4d476a181d17f002273a3ceee20c195ef0238bd9b31d3269c7741729198f091e175abe141f505109f7713deb9f6624e1ad4823c8eebea4fdf1782009f63172
-
SSDEEP
1536:qFDLNGB0Quqle7WJAjwcY7LtKnBDka58g0ApRHSIWXvpNQa9lq5cbrRIJx7w7hyg:qNL7nwxiO7LtKBQ2bjWXxr9EUrfCQJX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1824 netsh.exe -
Deletes itself 1 IoCs
pid Process 2608 lsass.exe -
Executes dropped EXE 2 IoCs
pid Process 656 lsass.exe 2608 lsass.exe -
Loads dropped DLL 3 IoCs
pid Process 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 656 lsass.exe -
resource yara_rule behavioral1/memory/2716-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-2-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0065000000011c27-31.dat upx behavioral1/memory/656-49-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2716 set thread context of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 656 set thread context of 2608 656 lsass.exe 35 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 2608 lsass.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2844 2716 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 30 PID 2844 wrote to memory of 1824 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 32 PID 2844 wrote to memory of 1824 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 32 PID 2844 wrote to memory of 1824 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 32 PID 2844 wrote to memory of 1824 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 32 PID 2844 wrote to memory of 656 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 34 PID 2844 wrote to memory of 656 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 34 PID 2844 wrote to memory of 656 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 34 PID 2844 wrote to memory of 656 2844 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 34 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35 PID 656 wrote to memory of 2608 656 lsass.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe /d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe4⤵
- Modifies WinLogon for persistence
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5f3d079d079bc923c8c52c15c97defc01
SHA12905e5e990ca4444a6295f2567f3453bd240afd4
SHA256a2ce3376897db911d68986bdb5540d634bbf0a812e0ade2881076687674374fc
SHA512cf244e3f43bfb7f8d25edcc478e1f8943c97acbbcf463e2543bd5c91fb735c74a5859212b758a876147bdd87143b280fd10e6d05d7e6d892fac4c3722bdab8fb