Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe
-
Size
192KB
-
MD5
ef5f42659bfa48d7896fe04434a2c7ca
-
SHA1
55515f10c8205c7a88ea972653328a9841e6704d
-
SHA256
380fa37adcda144ee6c59ec251b976074fd8b7c48380df72ffa8769ea13f600f
-
SHA512
c68408431521a930c24c4123328b8e0c6f9d19da7474ffeaa3a36f66ec90b4d1b1feb814035acd2455e3fff09f8fbcc028665c2ed79735fb19a929be780c3d34
-
SSDEEP
3072:YpbtC5W7S8BFsPolqmDOn542beDNLbD8BpPq32:T5W7S8BGWqkxl4D
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Loads dropped DLL 1 IoCs
pid Process 1056 ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\fdProwy.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File created C:\Windows\SysWOW64\ipsmsnvp.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File created C:\Windows\SysWOW64\icardren.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File created C:\Windows\SysWOW64\btpaniii.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\btpaniii.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\icardren.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File created C:\Windows\SysWOW64\icardren.ocx ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fdProwy.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ipsmsnvp.dat ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{01D35206-5298-CD79-7B55-F643E5555C8F} ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01D35206-5298-CD79-7B55-F643E5555C8F}\InprocServer32 ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01D35206-5298-CD79-7B55-F643E5555C8F}\InprocServer32\ThreadingModel = "Apartment" ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01D35206-5298-CD79-7B55-F643E5555C8F}\ = "icardren" ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01D35206-5298-CD79-7B55-F643E5555C8F}\InprocServer32\ = "C:\\Windows\\SysWow64\\icardren.ocx" ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2736 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: 33 552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 552 AUDIODG.EXE Token: 33 552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 552 AUDIODG.EXE Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef5f42659bfa48d7896fe04434a2c7ca_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1056
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a41⤵
- Suspicious use of AdjustPrivilegeToken
PID:552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD57caae81ab9bacfedd96f88b852bda4c0
SHA1a15bd7cd06cf6c1a5f855ef584ba159902de3811
SHA256319e87393f5eb1b80cb11fb43abf0cd25c19929460e40c5cf3528c73bcba9433
SHA512a5a9ce67102caa9c7296abdce34f53dc39b57d42580046d8c7eb25a03f48d07de02090d3ba5a8eba50f2c31e2ec84eecde811e697789cf2a39d6c805f896979e