Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:43
Static task
static1
Behavioral task
behavioral1
Sample
eed6408824f42589f454b55a7100461a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eed6408824f42589f454b55a7100461a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eed6408824f42589f454b55a7100461a_JaffaCakes118.exe
-
Size
201KB
-
MD5
eed6408824f42589f454b55a7100461a
-
SHA1
5908baefe59f508d1ca7cc54dfa9b47ee2cb0cd7
-
SHA256
1c7876c9197afcf36d7da9b6a5ccbaf54aa6edbeb2ab18129db26b5ed3e4b394
-
SHA512
b84c7331226f37d8f178dd3a7553f14b328c9717db17645318e9c58bd5f23ed71a8a2f661059f3fd280a578b0189e2da2fd6633db55d8e671a2a9aa321da0c1f
-
SSDEEP
3072:s/phFZX3hy/OxIIsrurCSGsvCmUMnyWJKlwVN2ITE:sPrYUICV6mUMxJ30
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
elskerdanmark4700
Signatures
-
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" REG.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Facebook.plugin.emissary.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ntdrivers.exe Facebook.plugin.emissary.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ntdrivers.exe Facebook.plugin.emissary.exe -
Executes dropped EXE 2 IoCs
pid Process 2640 Facebook.plugin.emissary.exe 2100 Bkcpy1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSoundDrivers = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Facebook.plugin.emissary.exe" Facebook.plugin.emissary.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.com -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage RunDll32.exe -
Modifies data under HKEY_USERS 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry rundll32.exe Key created \REGISTRY\USER\S-1-5-19 rundll32.exe Key created \REGISTRY\USER\S-1-5-19\Software rundll32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft rundll32.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography rundll32.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry RunDll32.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713566314452033" RunDll32.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState rundll32.exe -
Modifies registry key 1 TTPs 5 IoCs
pid Process 1600 REG.exe 404 reg.exe 4832 REG.exe 1696 REG.exe 4412 REG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2640 Facebook.plugin.emissary.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe Token: SeDebugPrivilege 2640 Facebook.plugin.emissary.exe Token: SeDebugPrivilege 1956 rundll32.exe Token: SeDebugPrivilege 1956 rundll32.exe Token: SeDebugPrivilege 2100 Bkcpy1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2640 Facebook.plugin.emissary.exe 1040 RunDll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 2640 Facebook.plugin.emissary.exe 2100 Bkcpy1.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4796 wrote to memory of 2640 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 81 PID 4796 wrote to memory of 2640 4796 eed6408824f42589f454b55a7100461a_JaffaCakes118.exe 81 PID 2640 wrote to memory of 4832 2640 Facebook.plugin.emissary.exe 82 PID 2640 wrote to memory of 4832 2640 Facebook.plugin.emissary.exe 82 PID 2640 wrote to memory of 1040 2640 Facebook.plugin.emissary.exe 84 PID 2640 wrote to memory of 1040 2640 Facebook.plugin.emissary.exe 84 PID 2640 wrote to memory of 1696 2640 Facebook.plugin.emissary.exe 85 PID 2640 wrote to memory of 1696 2640 Facebook.plugin.emissary.exe 85 PID 2640 wrote to memory of 4412 2640 Facebook.plugin.emissary.exe 86 PID 2640 wrote to memory of 4412 2640 Facebook.plugin.emissary.exe 86 PID 2640 wrote to memory of 1600 2640 Facebook.plugin.emissary.exe 87 PID 2640 wrote to memory of 1600 2640 Facebook.plugin.emissary.exe 87 PID 2640 wrote to memory of 808 2640 Facebook.plugin.emissary.exe 88 PID 2640 wrote to memory of 808 2640 Facebook.plugin.emissary.exe 88 PID 808 wrote to memory of 404 808 cmd.exe 94 PID 808 wrote to memory of 404 808 cmd.exe 94 PID 1040 wrote to memory of 1956 1040 RunDll32.exe 96 PID 1040 wrote to memory of 1956 1040 RunDll32.exe 96 PID 2640 wrote to memory of 2100 2640 Facebook.plugin.emissary.exe 98 PID 2640 wrote to memory of 2100 2640 Facebook.plugin.emissary.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eed6408824f42589f454b55a7100461a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eed6408824f42589f454b55a7100461a_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\Facebook.plugin.emissary.exeC:\Users\Admin\AppData\Local\Temp\Facebook.plugin.emissary.exe2⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:4832
-
-
C:\Windows\SYSTEM32\RunDll32.exeRunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 23⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:00000000000000004⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:1696
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4412
-
-
C:\Windows\SYSTEM32\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:1600
-
-
C:\Windows\SYSTEM32\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "EnableFirewall" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:404
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bkcpy1.exeC:\Users\Admin\AppData\Local\Temp\Bkcpy1.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD5eed6408824f42589f454b55a7100461a
SHA15908baefe59f508d1ca7cc54dfa9b47ee2cb0cd7
SHA2561c7876c9197afcf36d7da9b6a5ccbaf54aa6edbeb2ab18129db26b5ed3e4b394
SHA512b84c7331226f37d8f178dd3a7553f14b328c9717db17645318e9c58bd5f23ed71a8a2f661059f3fd280a578b0189e2da2fd6633db55d8e671a2a9aa321da0c1f