Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/09/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Arrays.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Arrays.dll
Resource
win10v2004-20240802-en
General
-
Target
f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe
-
Size
271KB
-
MD5
f1a79f9cba710bf8cc11122d6999d66d
-
SHA1
3756af4d51bb0511e5ef4319eaf7720b4c73194b
-
SHA256
b6cb0ed4ec3397234c1f67bef483ee62f45ca9d1becca3fa0c9fcbe3642acf9a
-
SHA512
3394ad10858ec3161c2e084f79a22ce74d6c1102581af4ef6576ec78eabe82fc9f5ee6c248d1389927a983c4385e905a5c559d711100bd391b6b80f76943c8ed
-
SSDEEP
6144:Kn/L+GOm9pZ9rBzo/pwwIIg8I32PkFVEXS:0zOm9r99/8y2PSaS
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (512) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Loads dropped DLL 3 IoCs
pid Process 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2696 WMIC.exe Token: SeSecurityPrivilege 2696 WMIC.exe Token: SeTakeOwnershipPrivilege 2696 WMIC.exe Token: SeLoadDriverPrivilege 2696 WMIC.exe Token: SeSystemProfilePrivilege 2696 WMIC.exe Token: SeSystemtimePrivilege 2696 WMIC.exe Token: SeProfSingleProcessPrivilege 2696 WMIC.exe Token: SeIncBasePriorityPrivilege 2696 WMIC.exe Token: SeCreatePagefilePrivilege 2696 WMIC.exe Token: SeBackupPrivilege 2696 WMIC.exe Token: SeRestorePrivilege 2696 WMIC.exe Token: SeShutdownPrivilege 2696 WMIC.exe Token: SeDebugPrivilege 2696 WMIC.exe Token: SeSystemEnvironmentPrivilege 2696 WMIC.exe Token: SeRemoteShutdownPrivilege 2696 WMIC.exe Token: SeUndockPrivilege 2696 WMIC.exe Token: SeManageVolumePrivilege 2696 WMIC.exe Token: 33 2696 WMIC.exe Token: 34 2696 WMIC.exe Token: 35 2696 WMIC.exe Token: SeIncreaseQuotaPrivilege 2696 WMIC.exe Token: SeSecurityPrivilege 2696 WMIC.exe Token: SeTakeOwnershipPrivilege 2696 WMIC.exe Token: SeLoadDriverPrivilege 2696 WMIC.exe Token: SeSystemProfilePrivilege 2696 WMIC.exe Token: SeSystemtimePrivilege 2696 WMIC.exe Token: SeProfSingleProcessPrivilege 2696 WMIC.exe Token: SeIncBasePriorityPrivilege 2696 WMIC.exe Token: SeCreatePagefilePrivilege 2696 WMIC.exe Token: SeBackupPrivilege 2696 WMIC.exe Token: SeRestorePrivilege 2696 WMIC.exe Token: SeShutdownPrivilege 2696 WMIC.exe Token: SeDebugPrivilege 2696 WMIC.exe Token: SeSystemEnvironmentPrivilege 2696 WMIC.exe Token: SeRemoteShutdownPrivilege 2696 WMIC.exe Token: SeUndockPrivilege 2696 WMIC.exe Token: SeManageVolumePrivilege 2696 WMIC.exe Token: 33 2696 WMIC.exe Token: 34 2696 WMIC.exe Token: 35 2696 WMIC.exe Token: SeBackupPrivilege 2600 vssvc.exe Token: SeRestorePrivilege 2600 vssvc.exe Token: SeAuditPrivilege 2600 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 1956 wrote to memory of 2836 1956 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 29 PID 2836 wrote to memory of 1588 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 30 PID 2836 wrote to memory of 1588 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 30 PID 2836 wrote to memory of 1588 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 30 PID 2836 wrote to memory of 1588 2836 f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe 30 PID 1588 wrote to memory of 2696 1588 cmd.exe 32 PID 1588 wrote to memory of 2696 1588 cmd.exe 32 PID 1588 wrote to memory of 2696 1588 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1a79f9cba710bf8cc11122d6999d66d_JaffaCakes118.exe"2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD579efbacfd6f73c8e66e909908045feaf
SHA14cda920ba660285c28e11826f811aedcbda8abe9
SHA256e4233c60c8cacd508d82bba6ac9dc79ef8d201fc7548950f480c07fd01d4fb92
SHA512f69d28cde087a1c7e3ad096c4bc550fb764f2cd7218fe14c14a05b9dcc5bcf094f55fc23aefcd109749ef2405ef7303317e48bf60abd73ed8c15b72b8c42b59a
-
Filesize
1KB
MD5e930bf24883de57b28a31a733d618645
SHA1416f7f4e017f619d1ac89a34c1e34a5baad73c56
SHA2562f3ce5515bead08015d327ba391060bd70614aea8b8c4325470723f824d51a21
SHA512cfe4c11334a627ba2a5a022bf669a78df88ef9e641596bd7cac6fc590da62490e90f9ff3b1f06a169684820406e452f12be420b13de1b093ff1dd73abaee6b3a
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
102KB
MD553b475200fd923b7dee70ea8b213b096
SHA16f6c4a51f57cde10a00523fd1e5c6b8941c11f8a
SHA25643e3d1893e027ce4858e5ffcdd1eebf66d3d63a8468a9cd321faeefa6f2a7ad5
SHA5123f040a619b5fabe3fe2d6d98c5e627464e7e2c75dc633da6402549c6513805ba65ac0263f2450563b1191fe0baa74650eacb187dc11a32d0f33927ab9c354b1e