Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe
-
Size
127KB
-
MD5
f526348d63436c1f649d617ff0d055c3
-
SHA1
91e1c7733928dbf135ab32e84e2c61a7586652b7
-
SHA256
a4467dccb32edd2ba60b49b7fce1753d3ee1bdbe0164b3529a3bd04a6d2c325d
-
SHA512
7664aa0ba931e0dceda34765803bd7569646e303208f1ed56875871831269aaa6acf56f335fe92297cb2e06b79391427b52e92684dbe2f59042469978462b016
-
SSDEEP
3072:9ZXgU7xP3EaedXKP1VMOjdAeL4QMLqQkkZ:9ZN/r1VtqnhBZ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1588 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 7kav.exe -
Loads dropped DLL 2 IoCs
pid Process 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E1F62955-4F43-164F-0212-411053103928} = "C:\\Users\\Admin\\AppData\\Roaming\\L736\\7kav.exe" 7kav.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2740 set thread context of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\072C41DE-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe 2748 7kav.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe Token: SeManageVolumePrivilege 2576 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2576 WinMail.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2748 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2748 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2748 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2748 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 30 PID 2748 wrote to memory of 1108 2748 7kav.exe 19 PID 2748 wrote to memory of 1108 2748 7kav.exe 19 PID 2748 wrote to memory of 1108 2748 7kav.exe 19 PID 2748 wrote to memory of 1108 2748 7kav.exe 19 PID 2748 wrote to memory of 1108 2748 7kav.exe 19 PID 2748 wrote to memory of 1160 2748 7kav.exe 20 PID 2748 wrote to memory of 1160 2748 7kav.exe 20 PID 2748 wrote to memory of 1160 2748 7kav.exe 20 PID 2748 wrote to memory of 1160 2748 7kav.exe 20 PID 2748 wrote to memory of 1160 2748 7kav.exe 20 PID 2748 wrote to memory of 1200 2748 7kav.exe 21 PID 2748 wrote to memory of 1200 2748 7kav.exe 21 PID 2748 wrote to memory of 1200 2748 7kav.exe 21 PID 2748 wrote to memory of 1200 2748 7kav.exe 21 PID 2748 wrote to memory of 1200 2748 7kav.exe 21 PID 2748 wrote to memory of 1260 2748 7kav.exe 25 PID 2748 wrote to memory of 1260 2748 7kav.exe 25 PID 2748 wrote to memory of 1260 2748 7kav.exe 25 PID 2748 wrote to memory of 1260 2748 7kav.exe 25 PID 2748 wrote to memory of 1260 2748 7kav.exe 25 PID 2748 wrote to memory of 2740 2748 7kav.exe 29 PID 2748 wrote to memory of 2740 2748 7kav.exe 29 PID 2748 wrote to memory of 2740 2748 7kav.exe 29 PID 2748 wrote to memory of 2740 2748 7kav.exe 29 PID 2748 wrote to memory of 2740 2748 7kav.exe 29 PID 2748 wrote to memory of 2576 2748 7kav.exe 31 PID 2748 wrote to memory of 2576 2748 7kav.exe 31 PID 2748 wrote to memory of 2576 2748 7kav.exe 31 PID 2748 wrote to memory of 2576 2748 7kav.exe 31 PID 2748 wrote to memory of 2576 2748 7kav.exe 31 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2740 wrote to memory of 1588 2740 f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2620 2748 7kav.exe 34 PID 2748 wrote to memory of 2620 2748 7kav.exe 34 PID 2748 wrote to memory of 2620 2748 7kav.exe 34 PID 2748 wrote to memory of 2620 2748 7kav.exe 34 PID 2748 wrote to memory of 2620 2748 7kav.exe 34 PID 2748 wrote to memory of 1808 2748 7kav.exe 36 PID 2748 wrote to memory of 1808 2748 7kav.exe 36 PID 2748 wrote to memory of 1808 2748 7kav.exe 36 PID 2748 wrote to memory of 1808 2748 7kav.exe 36 PID 2748 wrote to memory of 1808 2748 7kav.exe 36
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f526348d63436c1f649d617ff0d055c3_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\L736\7kav.exe"C:\Users\Admin\AppData\Roaming\L736\7kav.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0d7455e6.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1260
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD564be70d0c71c865d04fca49fd48ea0bd
SHA143659fc281f22feaa7ccbe726e17554c795b61d0
SHA256f48ab33e61e3c6e14d0bc35bfaea6fe41a7233ef10187ee3e0f37deeee501fec
SHA5125d2b93e1a903d90d524705d87059ed08d129ebe62cb3a925a17ef4886c71e26959bb8049448b743539764d9aef563bf10eaa79384da838f9c0b1b3aa075f8b41
-
Filesize
271B
MD5d89959f3bbca91886726574716468f4a
SHA1dc7ded2c49f43be365e4ca26910106d675519da4
SHA256469798241768e00f26bd9bc380cf09bfa4cefdbff3d6508441d78b105436770c
SHA512aa47b1229db9b3747aa2266f9f9ded994ae1b9e1cd6ea9e23c0fbcc532e0ca847fbc2dfd7c3a7161839c8e0cbaa869a9f73e1940916d88241650699362659e8d
-
Filesize
127KB
MD5ebd0fa86e11509e5ffc790734f35fb53
SHA1bfe3a9902cd06399e793d18cf6506ead7a0855ee
SHA25689c13c96bf36b2ab27c7c88236d844445b36837087ccf4e06b08f1141b98ad45
SHA5123c9607dbf3e10cc83c5486cd6e90456ffb5a49674e9709f66e847fbc37b730e0dddadb9637f6f920b035214427613cf1d0c8633554a1ffa04c3239b4a78ccf02