Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
-
Size
304KB
-
MD5
eed545a854ece23d746a0e6a89bc72d9
-
SHA1
0a271ecc7db5f0bf3151a455bac335b43d350682
-
SHA256
cd3f9d23719231cd510b252746d34f798e6214132282b5d1c6107af281765fe1
-
SHA512
6dc49d713e317d1f91b6abd7d554cf611111629cc250ce909537333d99f778a56fede14b5a3a1a98d9ba9531618e596e4b8bb4c5d8f60d89ab51142e3bc0a47e
-
SSDEEP
6144:GA7TgGATIr4tccyvkhznX75wS5f8evpmu:b7ATIMbnwg4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Arquivos de programas\\DtSLLuqn.exe" eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MSFS eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MAPI eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\IMAIL eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 sites.google.com 8 sites.google.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created \??\c:\windows\winlogn.ini eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe File created C:\WINDOWS\system\log.ini eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1456 eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eed545a854ece23d746a0e6a89bc72d9_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5c1b01e45f9e98c7da889fd4fbe51beb7
SHA1478b7828faacbe1956f6efafb89ecc0e4b27f8f6
SHA256dbc21a49e318aec1bfbc03f700344aa16edf7a806462f780d7937dc3142402d7
SHA512eb50e05421d439dd2f8bf1dd372acf031e081cbdb87468e206b678c30a67ced4a22be82af406464e86ed4534619c37a1789eb9802067c99834325b9c5767aca0