Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe
-
Size
11.0MB
-
MD5
f52a8823fc92aeb456f50df7da8c9dd6
-
SHA1
1bc7a25a01e3cf95633cc83d946e642f46d36fb7
-
SHA256
c8cf169897093d492b462e8bfc6cf549568d42886cede23c070555beedc6269d
-
SHA512
23f141155dfa4801956afd63c34e0d9c267ef820f05b1c212a3297b41bd4a5faef5b67f73dcaf5915b230529ff556e9faa2960e92317ff3af3fa979773007e3d
-
SSDEEP
98304:PCYkkAjcg5NBKO3dgq4+DGEvQPAGyrodP8VP4MW6yLO239bxU:PH45NBKO3dW/FCrodP6P4MOLO2
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1376 TMP2584.exe 2840 TMP1001.tmp 2704 TMP9110.TMP 2772 TMP9660.TMP 692 NETCONFIG.EXE 1992 YPAGER.EXE -
Loads dropped DLL 10 IoCs
pid Process 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 1376 TMP2584.exe 1376 TMP2584.exe 2840 TMP1001.tmp 2840 TMP1001.tmp 2840 TMP1001.tmp 2840 TMP1001.tmp 692 NETCONFIG.EXE 692 NETCONFIG.EXE -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\ypager.exe TMP9660.TMP File opened for modification C:\WINDOWS\SysWOW64\YPAGER.EXE TMP9660.TMP File opened for modification C:\WINDOWS\SysWOW64\YPAGER.EXE NETCONFIG.EXE File created \??\c:\windows\SysWOW64\ypager.exe TMP9660.TMP -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\netconfig.exe TMP9660.TMP File opened for modification \??\c:\windows\netconfig.exe TMP9660.TMP File opened for modification C:\WINDOWS\NETCONFIG.EXE TMP9660.TMP File opened for modification C:\WINDOWS\netconfig.exe YPAGER.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETCONFIG.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YPAGER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMP2584.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMP1001.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMP9110.TMP Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TMP9660.TMP -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2772 TMP9660.TMP 2772 TMP9660.TMP 2772 TMP9660.TMP 2772 TMP9660.TMP 2772 TMP9660.TMP 2772 TMP9660.TMP 2772 TMP9660.TMP 1992 YPAGER.EXE 1992 YPAGER.EXE 1992 YPAGER.EXE 1992 YPAGER.EXE 1992 YPAGER.EXE 1992 YPAGER.EXE 1992 YPAGER.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 TMP9110.TMP -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 1376 TMP2584.exe 2840 TMP1001.tmp 2772 TMP9660.TMP 692 NETCONFIG.EXE 1992 YPAGER.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1376 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 31 PID 2260 wrote to memory of 1376 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 31 PID 2260 wrote to memory of 1376 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 31 PID 2260 wrote to memory of 1376 2260 f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe 31 PID 1376 wrote to memory of 2840 1376 TMP2584.exe 32 PID 1376 wrote to memory of 2840 1376 TMP2584.exe 32 PID 1376 wrote to memory of 2840 1376 TMP2584.exe 32 PID 1376 wrote to memory of 2840 1376 TMP2584.exe 32 PID 2840 wrote to memory of 2704 2840 TMP1001.tmp 33 PID 2840 wrote to memory of 2704 2840 TMP1001.tmp 33 PID 2840 wrote to memory of 2704 2840 TMP1001.tmp 33 PID 2840 wrote to memory of 2704 2840 TMP1001.tmp 33 PID 2840 wrote to memory of 2772 2840 TMP1001.tmp 34 PID 2840 wrote to memory of 2772 2840 TMP1001.tmp 34 PID 2840 wrote to memory of 2772 2840 TMP1001.tmp 34 PID 2840 wrote to memory of 2772 2840 TMP1001.tmp 34 PID 2772 wrote to memory of 692 2772 TMP9660.TMP 35 PID 2772 wrote to memory of 692 2772 TMP9660.TMP 35 PID 2772 wrote to memory of 692 2772 TMP9660.TMP 35 PID 2772 wrote to memory of 692 2772 TMP9660.TMP 35 PID 692 wrote to memory of 1992 692 NETCONFIG.EXE 36 PID 692 wrote to memory of 1992 692 NETCONFIG.EXE 36 PID 692 wrote to memory of 1992 692 NETCONFIG.EXE 36 PID 692 wrote to memory of 1992 692 NETCONFIG.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\TMP2584.exeC:\Users\Admin\AppData\Local\TMP2584.exe pth:C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\TMP1001.tmpC:\Users\Admin\AppData\Local\Temp\TMP1001.tmp C:\Users\Admin\AppData\Local\Temp\f52a8823fc92aeb456f50df7da8c9dd6_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\TMP9110.TMPC:\Users\Admin\AppData\Local\Temp\TMP9110.TMP4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\TMP9660.TMPC:\Users\Admin\AppData\Local\Temp\TMP9660.TMP4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\WINDOWS\NETCONFIG.EXEC:\WINDOWS\NETCONFIG.EXE t5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\WINDOWS\SysWOW64\YPAGER.EXEC:\WINDOWS\SYSTEM32\YPAGER.EXE t6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768B
MD581010dd57e7f38595d91ce8707e452dd
SHA18811dedc9e0f72ca7b071f522edbd48d6d27bfed
SHA256f2d4e45fa0ebd3e824e528af354d6d1d0a97817702e1052e405ebbfd1973eefe
SHA51267ca1dc018986f714ffdcbc61733973c250f5a1281eac9574ad58eb88d61344530ffa16553526470395a125e8bba1349a5fb5a803a1ef8ab83f5315b24014cba
-
Filesize
28KB
MD563b67601532b24151c39d1b6ef131d52
SHA11a85634027bbceddc598295154f0310c3f648c0f
SHA256c7956a8f024c515fb031e061007e904125fffc5fcd5ede27f5e8efa764f523d5
SHA51265c6c6b0325b1e3eda11a078714115842034cd596830da29a5b33a217eb8d8a645c82483f39b10825992c4bfa4d54413ab954e82cc30a885641fba0ed5db6527
-
Filesize
10.9MB
MD57e6f3fe40408d1caa99ce4a725764686
SHA122d5307f2a686d71eb1a8f36437c8dd65e425f79
SHA25660768a80ab229d40ca3a7f2854ae082492744da6e8df1ae1a31919fa05f4c65a
SHA5124b2b1b8404ba0c8194c762c790572ae66115f9413e50bce6461a2e599ec628caa64cfbaddba2de2c4e019f36337e2974a9f29d9b4060f7f993f1d2acc2ffe4ea
-
Filesize
10.9MB
MD508f13823a350561d9864b269f0552c5a
SHA14a9e30c8a2a1ebd86fe7c8e35b878cee5920c49e
SHA256b3306409ecbb3ea2eaaff453a5b8441a1c22b1d42651eb0fade931e3ff574cf5
SHA512dda3a0bb2cfdbab8f39bb29e975a20dd4d946ff413e540b49507d73a44ab1b708d4fb46d0f9743db7430a083019fdf3748ece466d1a5ab4035e4dafbb742ddf1