Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 09:45
Static task
static1
Behavioral task
behavioral1
Sample
ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe
-
Size
150KB
-
MD5
ef871e57648e41d689ec183bbb284aeb
-
SHA1
16b22129e7539103a86e098d1386c65b21c343e8
-
SHA256
7dd6fb56478fb16407bc2ae78c4f8f9af67b5f6af08d03ab615f0525f7f26b53
-
SHA512
9a7d94e4c0e460e7fd47f8cbbe069b483f9df0ab85808ce49b5e4778e45a84c4819dac8167afa65b55850bd9b5ca58036b5b4c9129d2030d8415983ae34a35e4
-
SSDEEP
3072:tL24ZN+vUASh/z1eITA1AcSg8o5ezHFO2fqt5XTBKCqJmzwBVL:t62+0sITA6zq54HHfsBTB1q0c
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2764 explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 332 csrss.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2420 set thread context of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{801adc3f-e655-7c27-ed17-8b15d1d66490} explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{801adc3f-e655-7c27-ed17-8b15d1d66490}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{801adc3f-e655-7c27-ed17-8b15d1d66490}\cid = "506232136160144436" explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 332 csrss.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 2764 explorer.exe Token: SeAssignPrimaryTokenPrivilege 852 svchost.exe Token: SeIncreaseQuotaPrivilege 852 svchost.exe Token: SeSecurityPrivilege 852 svchost.exe Token: SeTakeOwnershipPrivilege 852 svchost.exe Token: SeLoadDriverPrivilege 852 svchost.exe Token: SeRestorePrivilege 852 svchost.exe Token: SeSystemEnvironmentPrivilege 852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 852 svchost.exe Token: SeIncreaseQuotaPrivilege 852 svchost.exe Token: SeSecurityPrivilege 852 svchost.exe Token: SeTakeOwnershipPrivilege 852 svchost.exe Token: SeLoadDriverPrivilege 852 svchost.exe Token: SeSystemtimePrivilege 852 svchost.exe Token: SeBackupPrivilege 852 svchost.exe Token: SeRestorePrivilege 852 svchost.exe Token: SeShutdownPrivilege 852 svchost.exe Token: SeSystemEnvironmentPrivilege 852 svchost.exe Token: SeUndockPrivilege 852 svchost.exe Token: SeManageVolumePrivilege 852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 852 svchost.exe Token: SeIncreaseQuotaPrivilege 852 svchost.exe Token: SeSecurityPrivilege 852 svchost.exe Token: SeTakeOwnershipPrivilege 852 svchost.exe Token: SeLoadDriverPrivilege 852 svchost.exe Token: SeRestorePrivilege 852 svchost.exe Token: SeSystemEnvironmentPrivilege 852 svchost.exe Token: SeAssignPrimaryTokenPrivilege 852 svchost.exe Token: SeIncreaseQuotaPrivilege 852 svchost.exe Token: SeSecurityPrivilege 852 svchost.exe Token: SeTakeOwnershipPrivilege 852 svchost.exe Token: SeLoadDriverPrivilege 852 svchost.exe Token: SeRestorePrivilege 852 svchost.exe Token: SeSystemEnvironmentPrivilege 852 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2764 2420 ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe 30 PID 2764 wrote to memory of 332 2764 explorer.exe 2 PID 332 wrote to memory of 852 332 csrss.exe 13
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
C:\Users\Admin\AppData\Local\Temp\ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef871e57648e41d689ec183bbb284aeb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\explorer.exe00000080*2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5c7570a7e24b29ee04a48c2c99da2587b
SHA1b6e3635a8de44b1635e8d362ac131e14281feb24
SHA256717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b
SHA51257479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572
-
Filesize
2KB
MD5d342acaf1d47450dd2f065bb0511591b
SHA1cf9626de13a8b14b2f026722eeba52af83b367c5
SHA256ea5d5e5062070b7aafea9191d07c542583bc69c6122224a43b1191329b056edf
SHA512cc77008befc286d945a22e3a39328aad4da59a42b13d79ead162a8e772fcff88ffaaf549c44644ea56a8a74a138cee3f65660fc35287371991bf015d90abf6f9