Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 20:39
Static task
static1
Behavioral task
behavioral1
Sample
e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe
-
Size
176KB
-
MD5
e9ee6d7c87924e2858225ea99164ad14
-
SHA1
1fd7be8a183e94394d0cf63c72df3afd7863319b
-
SHA256
1aba614fd0961addeea90dd343edba348aa72c6b3717d4a346cf7db0135ede08
-
SHA512
0402b55c4ce2e98d25cfb28804e3192343b1e15fa44e5de06344254760a64cfe9968d09fe4cc63cb653c4c4e5d3c932edf4b4436d1e9fbf52e5dcfd085311f06
-
SSDEEP
3072:IEaEEkmqdQALvxNZPz58QUYMIN/c4ZrJEm/1wW9VSvCkLp2O2hpRqC:LnTKALvxrF8QUYtuwdVv4H8bb
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2736 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 332 csrss.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 94.242.250.64 Destination IP 94.242.250.64 Destination IP 94.242.250.64 Destination IP 94.242.250.64 -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 584 set thread context of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 332 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe Token: SeDebugPrivilege 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 584 wrote to memory of 1148 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 20 PID 584 wrote to memory of 332 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 2 PID 584 wrote to memory of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 PID 584 wrote to memory of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 PID 584 wrote to memory of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 PID 584 wrote to memory of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 PID 584 wrote to memory of 2736 584 e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe 31 PID 332 wrote to memory of 848 332 csrss.exe 13 PID 332 wrote to memory of 1140 332 csrss.exe 33 PID 332 wrote to memory of 1140 332 csrss.exe 33
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9ee6d7c87924e2858225ea99164ad14_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2736
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5e60558bda4e220f494f7ef757f0bd725
SHA19e1215bdad1a51123a4eb012f1f4e3103ac436ed
SHA25686a744302786cb7afb20ccf54f8e157fc149906fca8af1bcc62bc56f8d807a98
SHA512e13e010a99d501a4c462377f144614945346e00b28e1a39936c329f6cdb8ddf24a9188bdb7bd5723925c77b940d6559fd876ad574a8dccac07cd1b1ea13e7576
-
Filesize
2KB
MD598ef2e2d2da5c28b255718d54d3d6c0d
SHA15f5279d5a6928772c586a3004092164bffd15880
SHA2565eb1f8578591e4f2721d7085395fa44c2b2753ee47df015ad3a57ace2b11162a
SHA512e5ad35068950b0e58a8b751ca7a36a90804c5e0a4388d9f9b654fe31d4b8291afbbae738a45d59184cdc91680d9d66c9ae14b917638f5cce8f57f99100623f48