Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
-
Size
594KB
-
MD5
ecbe2788da186fb254c618b21d446303
-
SHA1
0e261dd24f00ad297e93086d9cf1326933137997
-
SHA256
2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d
-
SHA512
93041cb0cf554684a197af525caba96da02f0b45b2d3aa23e140e6ca9c15bb9c4b7f3001fd0f3410a9d2ffacecb47027f742fb10982f87b180462c60cb723bf9
-
SSDEEP
12288:jK2mhAMJ/cPl+RhW13QPKP21+UDgni/O6AcEeC1d5MytGkNErbYy43AS+HGW+w5l:G2O/Gl+zSQPKP21dD+R6AcEeC1dxzNED
Malware Config
Extracted
darkcomet
Trillian
essstzttztz.zapto.org:1612
DC_MUTEX-1KBKQVH
-
gencode
nrKvEnTT3cgT
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
latentbot
essstzttztz.zapto.org
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2008 uus.exe 1872 tinychat.exe -
Loads dropped DLL 9 IoCs
pid Process 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x000e000000015ceb-21.dat upx behavioral1/memory/1576-33-0x0000000001FF0000-0x0000000002016000-memory.dmp upx behavioral1/memory/1872-39-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2644-76-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-67-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-78-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-79-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2644-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1872-86-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2008-105-0x0000000000090000-0x0000000000190000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgbj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\taskmgbj.exe A" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2008 set thread context of 2644 2008 uus.exe 36 PID 2008 set thread context of 2960 2008 uus.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tinychat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uus.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2644 cmdl32.exe Token: SeSecurityPrivilege 2644 cmdl32.exe Token: SeTakeOwnershipPrivilege 2644 cmdl32.exe Token: SeLoadDriverPrivilege 2644 cmdl32.exe Token: SeSystemProfilePrivilege 2644 cmdl32.exe Token: SeSystemtimePrivilege 2644 cmdl32.exe Token: SeProfSingleProcessPrivilege 2644 cmdl32.exe Token: SeIncBasePriorityPrivilege 2644 cmdl32.exe Token: SeCreatePagefilePrivilege 2644 cmdl32.exe Token: SeBackupPrivilege 2644 cmdl32.exe Token: SeRestorePrivilege 2644 cmdl32.exe Token: SeShutdownPrivilege 2644 cmdl32.exe Token: SeDebugPrivilege 2644 cmdl32.exe Token: SeSystemEnvironmentPrivilege 2644 cmdl32.exe Token: SeChangeNotifyPrivilege 2644 cmdl32.exe Token: SeRemoteShutdownPrivilege 2644 cmdl32.exe Token: SeUndockPrivilege 2644 cmdl32.exe Token: SeManageVolumePrivilege 2644 cmdl32.exe Token: SeImpersonatePrivilege 2644 cmdl32.exe Token: SeCreateGlobalPrivilege 2644 cmdl32.exe Token: 33 2644 cmdl32.exe Token: 34 2644 cmdl32.exe Token: 35 2644 cmdl32.exe Token: SeIncreaseQuotaPrivilege 2960 cmdl32.exe Token: SeSecurityPrivilege 2960 cmdl32.exe Token: SeTakeOwnershipPrivilege 2960 cmdl32.exe Token: SeLoadDriverPrivilege 2960 cmdl32.exe Token: SeSystemProfilePrivilege 2960 cmdl32.exe Token: SeSystemtimePrivilege 2960 cmdl32.exe Token: SeProfSingleProcessPrivilege 2960 cmdl32.exe Token: SeIncBasePriorityPrivilege 2960 cmdl32.exe Token: SeCreatePagefilePrivilege 2960 cmdl32.exe Token: SeBackupPrivilege 2960 cmdl32.exe Token: SeRestorePrivilege 2960 cmdl32.exe Token: SeShutdownPrivilege 2960 cmdl32.exe Token: SeDebugPrivilege 2960 cmdl32.exe Token: SeSystemEnvironmentPrivilege 2960 cmdl32.exe Token: SeChangeNotifyPrivilege 2960 cmdl32.exe Token: SeRemoteShutdownPrivilege 2960 cmdl32.exe Token: SeUndockPrivilege 2960 cmdl32.exe Token: SeManageVolumePrivilege 2960 cmdl32.exe Token: SeImpersonatePrivilege 2960 cmdl32.exe Token: SeCreateGlobalPrivilege 2960 cmdl32.exe Token: 33 2960 cmdl32.exe Token: 34 2960 cmdl32.exe Token: 35 2960 cmdl32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2008 uus.exe 1872 tinychat.exe 1872 tinychat.exe 2644 cmdl32.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 2008 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 31 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 1576 wrote to memory of 1872 1576 ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe 32 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2008 wrote to memory of 2756 2008 uus.exe 33 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2756 wrote to memory of 2912 2756 cmd.exe 35 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2644 2008 uus.exe 36 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37 PID 2008 wrote to memory of 2960 2008 uus.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\uus.exe"C:\Users\Admin\AppData\Local\Temp\uus.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\maqui.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run" /v taskmgbj.exe /d "C:\Users\Admin\AppData\Local\Temp\taskmgbj.exe A" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2912
-
-
-
C:\Windows\SysWOW64\cmdl32.exe"C:\Windows\system32\cmdl32.exe "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Windows\SysWOW64\cmdl32.exe"C:\Windows\system32\cmdl32.exe "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tinychat.exe"C:\Users\Admin\AppData\Local\Temp\tinychat.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD591f95ff4f3b92893ee4ea67a533da526
SHA12b17c54f07df8f803446032dbdf70f8384158f78
SHA256167ea6d50160180eafeb164fe6d8fdadc90e22dafa655c99e561acd486fec11a
SHA51273fbf0ddda81fdc8f699e75d0d2e7c9f3584d555273f5cf0625d95af55aaf94f3ff62f611cd16b0bbcccd89c31c11126345f7dc01b65edd51756e88dcbd0de99
-
Filesize
312KB
MD575e8479191225e9543a43f6366cd73fd
SHA1c591454985172f83b221e4e1ec0fdc60c4fc93c2
SHA2564b0fca92cd6e7828dc80494062b7965bfb8dad5e77ee4ae84a8ffec1b4d9eed1
SHA5126654ff9393f73bfbe2a7b4feb8eeb2b7dd801c580c1682f46f200bb19a91df75276d776c7475d603f782f6e5078317ff87542518c4d7dd62a63596a80b71b0bd
-
Filesize
52KB
MD532254a9009a89147f5cfbd03ba2cee84
SHA1578439fa4e02a795e44945bb2cb1edd1cb9245ab
SHA25607ff1f83289f3ad2d7a19d734cb9137517ee7e2cd52160a0f7d599e2ca590e88
SHA512182c62bd60ac437c4bf8781f74eb49e29312382f066d6acda72db90c91a0c996716c018522db5d3c516463286e8e3dee1f8c8c2d6b621ecf6f55152dd8ee0904