Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 15:56
Behavioral task
behavioral1
Sample
ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
-
Size
259KB
-
MD5
ebae0f7205be00ee7d576833574a4553
-
SHA1
09104faf56af1ce877c0a2ef2ef1445bdd3538de
-
SHA256
d45ecd813753f71f8cc83550644bbcf13539c672b731a74be8aeb1e7c9452e56
-
SHA512
a5eeda74e1d83a80bd730edb215c95a5f5d68391295dc75477106d93e832101be5555537a7f0554b3f8bad74df99a42cce57271976fa7f7a886e69f3978dcc43
-
SSDEEP
6144:EfmHJPPBGCidJZvqJ3M0Gr1f4Nc9vRhGIL:XPPBvir4Gr1f4e
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\msn.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msn.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\msn.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msn.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2140 msn.exe 2720 notepad.exe -
Loads dropped DLL 3 IoCs
pid Process 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/3044-0-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/3044-19-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2556 reg.exe 2548 reg.exe 1532 reg.exe 2672 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2140 msn.exe Token: SeCreateTokenPrivilege 2140 msn.exe Token: SeAssignPrimaryTokenPrivilege 2140 msn.exe Token: SeLockMemoryPrivilege 2140 msn.exe Token: SeIncreaseQuotaPrivilege 2140 msn.exe Token: SeMachineAccountPrivilege 2140 msn.exe Token: SeTcbPrivilege 2140 msn.exe Token: SeSecurityPrivilege 2140 msn.exe Token: SeTakeOwnershipPrivilege 2140 msn.exe Token: SeLoadDriverPrivilege 2140 msn.exe Token: SeSystemProfilePrivilege 2140 msn.exe Token: SeSystemtimePrivilege 2140 msn.exe Token: SeProfSingleProcessPrivilege 2140 msn.exe Token: SeIncBasePriorityPrivilege 2140 msn.exe Token: SeCreatePagefilePrivilege 2140 msn.exe Token: SeCreatePermanentPrivilege 2140 msn.exe Token: SeBackupPrivilege 2140 msn.exe Token: SeRestorePrivilege 2140 msn.exe Token: SeShutdownPrivilege 2140 msn.exe Token: SeDebugPrivilege 2140 msn.exe Token: SeAuditPrivilege 2140 msn.exe Token: SeSystemEnvironmentPrivilege 2140 msn.exe Token: SeChangeNotifyPrivilege 2140 msn.exe Token: SeRemoteShutdownPrivilege 2140 msn.exe Token: SeUndockPrivilege 2140 msn.exe Token: SeSyncAgentPrivilege 2140 msn.exe Token: SeEnableDelegationPrivilege 2140 msn.exe Token: SeManageVolumePrivilege 2140 msn.exe Token: SeImpersonatePrivilege 2140 msn.exe Token: SeCreateGlobalPrivilege 2140 msn.exe Token: 31 2140 msn.exe Token: 32 2140 msn.exe Token: 33 2140 msn.exe Token: 34 2140 msn.exe Token: 35 2140 msn.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2140 msn.exe 2140 msn.exe 2140 msn.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2140 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 28 PID 3044 wrote to memory of 2140 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 28 PID 3044 wrote to memory of 2140 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 28 PID 3044 wrote to memory of 2140 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 28 PID 3044 wrote to memory of 2720 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 29 PID 3044 wrote to memory of 2720 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 29 PID 3044 wrote to memory of 2720 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 29 PID 3044 wrote to memory of 2720 3044 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 29 PID 2140 wrote to memory of 2624 2140 msn.exe 30 PID 2140 wrote to memory of 2624 2140 msn.exe 30 PID 2140 wrote to memory of 2624 2140 msn.exe 30 PID 2140 wrote to memory of 2624 2140 msn.exe 30 PID 2140 wrote to memory of 2508 2140 msn.exe 31 PID 2140 wrote to memory of 2508 2140 msn.exe 31 PID 2140 wrote to memory of 2508 2140 msn.exe 31 PID 2140 wrote to memory of 2508 2140 msn.exe 31 PID 2140 wrote to memory of 2072 2140 msn.exe 32 PID 2140 wrote to memory of 2072 2140 msn.exe 32 PID 2140 wrote to memory of 2072 2140 msn.exe 32 PID 2140 wrote to memory of 2072 2140 msn.exe 32 PID 2140 wrote to memory of 2232 2140 msn.exe 35 PID 2140 wrote to memory of 2232 2140 msn.exe 35 PID 2140 wrote to memory of 2232 2140 msn.exe 35 PID 2140 wrote to memory of 2232 2140 msn.exe 35 PID 2508 wrote to memory of 2548 2508 cmd.exe 38 PID 2508 wrote to memory of 2548 2508 cmd.exe 38 PID 2508 wrote to memory of 2548 2508 cmd.exe 38 PID 2508 wrote to memory of 2548 2508 cmd.exe 38 PID 2624 wrote to memory of 2556 2624 cmd.exe 39 PID 2624 wrote to memory of 2556 2624 cmd.exe 39 PID 2624 wrote to memory of 2556 2624 cmd.exe 39 PID 2624 wrote to memory of 2556 2624 cmd.exe 39 PID 2232 wrote to memory of 1532 2232 cmd.exe 40 PID 2232 wrote to memory of 1532 2232 cmd.exe 40 PID 2232 wrote to memory of 1532 2232 cmd.exe 40 PID 2232 wrote to memory of 1532 2232 cmd.exe 40 PID 2072 wrote to memory of 2672 2072 cmd.exe 41 PID 2072 wrote to memory of 2672 2072 cmd.exe 41 PID 2072 wrote to memory of 2672 2072 cmd.exe 41 PID 2072 wrote to memory of 2672 2072 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\msn.exe"C:\Users\Admin\AppData\Local\Temp\msn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD509ceedd0c5af2b182284dad3fc85f0ad
SHA171115ab8b75371c9a25831087126af756d4d2b24
SHA25695f7e917a9a84ede14e0966908601ce311fca8d964a32ae43ffb79c9f5216e7f
SHA512bf3d21fb4160a84a7b3494d183c34dda90ebb977b8db088ca0032ccedeab045fb99cd86c4ee09e068470c1bbf9c53e6fbe68c153e731d373287c4d703331fd76
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8