Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe
-
Size
369KB
-
MD5
efbcb62c2f180599cbe7d4925e30324b
-
SHA1
a41da44737478a6b2180639dbf931754a04d5ee8
-
SHA256
5eb32845ec057e47ed62d0ac3f86cfa7a11f94caa95038e6f07929c35e0c555b
-
SHA512
1797f314186f51ccc246728e99260f581fe370593b0390a79068b6bd811da9231cd1583230bb460e4d1b84fa32fb779887cebc9a884128c21b44d8d0a0a3cb61
-
SSDEEP
6144:UQqOAE4QqtfosaF2pC3gRrxFNQ1EwU4hQ1lxKuPIYt1Iy8tZSIOZrc5ovh2/juMl:7AEwoHF8/rxTR9vx1gYo5t7OZrWfhz
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2460 cfÎÏţ͸ÊÓ.exe 2488 ÎÏţ͸ÊÓ.exe 2020 cfÎÏţ͸ÊÓ.tmp -
Loads dropped DLL 11 IoCs
pid Process 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 2488 ÎÏţ͸ÊÓ.exe 2488 ÎÏţ͸ÊÓ.exe 2488 ÎÏţ͸ÊÓ.exe 2460 cfÎÏţ͸ÊÓ.exe 2460 cfÎÏţ͸ÊÓ.exe 2460 cfÎÏţ͸ÊÓ.exe 2020 cfÎÏţ͸ÊÓ.tmp 2020 cfÎÏţ͸ÊÓ.tmp -
resource yara_rule behavioral1/memory/2488-17-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect behavioral1/files/0x000f000000018683-16.dat vmprotect behavioral1/memory/2488-28-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect behavioral1/memory/2488-59-0x0000000000400000-0x000000000042B000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2488 ÎÏţ͸ÊÓ.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\DcomServer\DcomServer.exe cfÎÏţ͸ÊÓ.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ÎÏţ͸ÊÓ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfÎÏţ͸ÊÓ.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfÎÏţ͸ÊÓ.exe -
Kills process with taskkill 1 IoCs
pid Process 2732 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main ÎÏţ͸ÊÓ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2732 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2488 ÎÏţ͸ÊÓ.exe 2488 ÎÏţ͸ÊÓ.exe 2488 ÎÏţ͸ÊÓ.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2460 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2488 2292 efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe 31 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2460 wrote to memory of 2020 2460 cfÎÏţ͸ÊÓ.exe 32 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 1512 2488 ÎÏţ͸ÊÓ.exe 33 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2488 wrote to memory of 2796 2488 ÎÏţ͸ÊÓ.exe 34 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36 PID 2796 wrote to memory of 2732 2796 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efbcb62c2f180599cbe7d4925e30324b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\is-6T4EL.tmp\cfÎÏţ͸ÊÓ.tmp"C:\Users\Admin\AppData\Local\Temp\is-6T4EL.tmp\cfÎÏţ͸ÊÓ.tmp" /SL5="$400F4,53248,53248,C:\Users\Admin\AppData\Local\Temp\cfÎÏţ͸ÊÓ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe"C:\Users\Admin\AppData\Local\Temp\ÎÏţ͸ÊÓ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\WINDOWS\system32\shdocvw.dll /s3⤵
- System Location Discovery: System Language Discovery
PID:1512
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im empty.dat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im empty.dat4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD551db95b0c7e44601365e6ae5683c373b
SHA15388064be80b99fe503e59c1aac62f183deb3b1b
SHA2565038cb765d576e13aaf5b8a26fd5e30fc20a1ddd3c4dd4c3e8a488a8fccd3f3a
SHA512f9bd35e7c0665f68641ae31487cc8e5957c17cd87593e0542e040fb06eb4df07d99a72a019b1efba0af3b939b77853624a61009ee6a139b3d792e102c0c01374
-
Filesize
84KB
MD5cba0fa0915bf758b46c8a67ff2e5f5b5
SHA1de0997c8671074c632c27fbf17c657d1c4219ff4
SHA2566a3f90d5b0a892386a31473e72a07736e2f11a7aa1c95f43e483f8fd27452b5a
SHA5120b925dfad6caa5ba59ceba727f71b97f16e919cee178c15886f563955d5abcbdc72e4c2b17e6a18267ef7bd74ac2e2128d5e361105834711c71ffc27cc9ac479
-
Filesize
293KB
MD50c4bc62787fc144a93b21a94677bb3ad
SHA13264002ac77ffa02579ace7922446eb26fc62cf5
SHA256b8b724b34b232d6a642d358b0dee70fd0db52be6e24386d799cd44b7812025eb
SHA5121c566783b903ed9c064a10cbb034b42db73627b7fd5ab22b3ec012bc517e8e583fa72bdabccf5ab047c1e27be1e3d6f8159f4f675217b0348ca58991875c34b7
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
681KB
MD58e3e4508030c1ffdb0196309114eb841
SHA133656ec0c5b5ab8ce4ac566be0a95a96ec4ac40c
SHA2566d9b3b086a0cd15c9fd32cf639c61e52d4d928d0112a7bb75e95f010e995dd2b
SHA5126f16872abeb2de9ce3d881cf4b13778af03a305b068e99a8e59735bd4c13b5ad6f24a7aa44c2327cbfbb8351324ab85bb2157d719249fa29eb6f46061badffa4