Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
e2d4c198cf489e724a91f76f9e3fb00e
-
SHA1
8661cd99b2fa107d8124cee1740934de248d47bd
-
SHA256
ff76d34bace404e490aefcc36d341fc63555c0a2f874362be80be7a23ee2f227
-
SHA512
10d282e99e7c2f24ee9bbfe0acd8feba70384c1892de70046eba1084f4a15cfbbe4d64b0f263cecffdbf3c12c97922b783ddb05052894c41d1f3878731490ef9
-
SSDEEP
49152:7WKfCRdWutR4D3A1A+hQ88aZQS+asUd91Evw:yKfm4AheMZx+aseKw
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe" e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ = "e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe" e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe File created C:\Windows\SysWOW64\ e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2852 regedit.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2260 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2260 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2260 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2260 2520 e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe 30 PID 2260 wrote to memory of 2852 2260 cmd.exe 31 PID 2260 wrote to memory of 2852 2260 cmd.exe 31 PID 2260 wrote to memory of 2852 2260 cmd.exe 31 PID 2260 wrote to memory of 2852 2260 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2d4c198cf489e724a91f76f9e3fb00e_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e6d8af5aed642209c88269bf56af50ae
SHA1633d40da997074dc0ed10938ebc49a3aeb3a7fc8
SHA256550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec
SHA5126949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904