Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 11:47
Behavioral task
behavioral1
Sample
efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe
-
Size
3.8MB
-
MD5
efb9891ddb30cb3dea7dfbe51c295a15
-
SHA1
987be11a59a129cc0d4e71fcfddeb3adf596e262
-
SHA256
c8c1be11b7eadaef5fd7d78d2d6c4d9944f6f59b783b4f4b7c7f3eac8e68143d
-
SHA512
cfb93d327b9914e831bce6932f09be7d809c25418e401f39182515082291d16fc4883fcdb93b7bb2fed3bc753de00e61371aaf4d00e0a6c68fbc4c0e37424487
-
SSDEEP
98304:+znOEj82saUwGJX87Q2iLcJ6Jg4G+SAdR:+n9slwGJXqvJ6JgdU
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
resource yara_rule behavioral1/memory/2956-0-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/2956-12-0x0000000000400000-0x00000000004BB000-memory.dmp upx behavioral1/memory/2296-5-0x00000000008C0000-0x0000000001EC7000-memory.dmp upx behavioral1/memory/2296-8-0x00000000008C0000-0x0000000001EC7000-memory.dmp upx behavioral1/memory/2296-13-0x00000000008C0000-0x0000000001EC7000-memory.dmp upx behavioral1/memory/2296-7-0x00000000008C0000-0x0000000001EC7000-memory.dmp upx behavioral1/memory/2296-15-0x00000000008C0000-0x0000000001EC7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\svchosste.exe" efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2956-12-0x0000000000400000-0x00000000004BB000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\RGR.SYS efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe File created C:\Windows\SysWOW64\svchosste.exe efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchosste.exe efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2956 set thread context of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2688 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2296 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2956 wrote to memory of 2296 2956 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 31 PID 2296 wrote to memory of 2748 2296 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 32 PID 2296 wrote to memory of 2748 2296 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 32 PID 2296 wrote to memory of 2748 2296 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 32 PID 2296 wrote to memory of 2748 2296 efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2688 2748 cmd.exe 34 PID 2748 wrote to memory of 2688 2748 cmd.exe 34 PID 2748 wrote to memory of 2688 2748 cmd.exe 34 PID 2748 wrote to memory of 2688 2748 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efb9891ddb30cb3dea7dfbe51c295a15_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2688
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3