Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/09/2024, 06:39
General
-
Target
eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe
-
Size
99KB
-
MD5
eac6cb2a4a60d7db2618acb63ba47bfe
-
SHA1
226ed23500be40bf1e0f79757c15d8a0d731b725
-
SHA256
11e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859
-
SHA512
e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15
-
SSDEEP
768:WkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn6jkvORFUWCn7wRu5mEf:vkQJcqwmIfj+ECJGCkvONymEn6zSDIw
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
-
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Discovers systems in the same network 1 TTPs 4 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet view \\CCJBVTGQ4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\net.exenet view \\CCJBVTGQ4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 CCJBVTGQ4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5eac6cb2a4a60d7db2618acb63ba47bfe
SHA1226ed23500be40bf1e0f79757c15d8a0d731b725
SHA25611e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859
SHA512e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15
-
Filesize
49B
MD52aab214cfdd98a617d0ea9d44028d612
SHA18b9f2a39214582f3b15bb47bd7b726140c085114
SHA2566c7f2fa81a1e8dd1e3c55c7c92f60a66c6b049418d592b07b71586ad048bb979
SHA5121ce093858634932ee7687810731bcb0ec888d6e299d6ff6b93f7730a5a7552c82e512d63090dbfb884526491608493db01e7224aed61cc7638900f864bd74445
-
Filesize
7KB
MD5e0999245fe0d08c7454594dc695ee500
SHA1dc5449395e3b91b5d6d9ec30284e545a518ca822
SHA25646d21ac64ec059254b2a8ddd817c9149ac71099ce4dbf56a2cb27dfcee9f9062
SHA512f9e027b3996480625712d6b6acd01f71ea9a34a69625c5402103babe3be4503165f2445afe4ae5f71fda6bba623aece1b153341ad0aa39ff97ece31cb9514a33
-
Filesize
24.9MB
MD59527538092bb2f9073579e36acd6e733
SHA1694a7f1ca42bf4f8e1f5a965bb0ddf97ff65dc90
SHA2564676439ed050fe66c1e307bd20e2b0cac7ee6031e3966b0c9d8a0658ab81a648
SHA512bc815cad9892f884b11454ec73373256b2248deeea8151793db8f3d4650f4e64a0282ff6426340ad2fb4df2cf0d6c16f26ed0030f70e65b51f01e34f17ec41ae
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
234B
MD556b14ddb1bd62d1b712e03f36a58a34a
SHA123bbe61061ea923ef9c1a461a839611b50984bba
SHA2565af7f06b5d6cd2db7306b606699551f43010131171543758fc49276bcc8cc519
SHA512adfc6a9070d77a15fe10566d0ff3146a2e12abcf987704ee05f28058451cb9f60df90aa8b5c52af98bd7ffbd25fb4d16e0f16d44b2541dd0bbcde03365afda0e
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB