Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe
-
Size
385KB
-
MD5
f5acf31c5f763e0a4747106ba8ed8969
-
SHA1
62559ed2f44d2899fba04e814f3d9298966dab11
-
SHA256
cdcb185faf0dc11374112bad5bbbefbcf21086d4e168a9bd6c37a5221a5040b8
-
SHA512
d3c597e541a1aca46d022d9babc330591eaf88af33e1404ee0d9ef8c3ac1190bc2d629f58bb218ebfa5034c4878ca9b39eda315fe9002edfc4f56bb23eb4a69c
-
SSDEEP
12288:7kWAehJuqT4qkn6Hv12hgbUNKMUGJsIHATYeX:7kWAAuqkqTzcKMU4nHC
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 1832 wanst.exe 2704 tibiacast_3_0_38.exe 2688 i.exe 2920 f.exe 2808 cres.exe 2384 webengine.exe 2928 MSBuild.exe -
Loads dropped DLL 9 IoCs
pid Process 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 1832 wanst.exe 2688 i.exe 2688 i.exe 2688 i.exe 2920 f.exe 2384 webengine.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\webengine.exe" webengine.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2920 set thread context of 2632 2920 f.exe 36 PID 2928 set thread context of 3048 2928 MSBuild.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wanst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language webengine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tibiacast_3_0_38.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2920 f.exe 2384 webengine.exe 2920 f.exe 2928 MSBuild.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe 2704 tibiacast_3_0_38.exe 2704 tibiacast_3_0_38.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe 2920 f.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2920 f.exe 2704 tibiacast_3_0_38.exe 2384 webengine.exe 2928 MSBuild.exe 2704 tibiacast_3_0_38.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2920 f.exe Token: SeDebugPrivilege 2384 webengine.exe Token: SeDebugPrivilege 2928 MSBuild.exe Token: SeDebugPrivilege 2704 tibiacast_3_0_38.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2704 tibiacast_3_0_38.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2704 tibiacast_3_0_38.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 1832 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 31 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 2352 wrote to memory of 2704 2352 f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe 32 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 1832 wrote to memory of 2688 1832 wanst.exe 33 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2920 2688 i.exe 34 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2688 wrote to memory of 2808 2688 i.exe 35 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2632 2920 f.exe 36 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2920 wrote to memory of 2384 2920 f.exe 37 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38 PID 2384 wrote to memory of 2928 2384 webengine.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5acf31c5f763e0a4747106ba8ed8969_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\wanst.exe"C:\Users\Admin\AppData\Local\Temp\wanst.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\i.exe"C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\f.exe"C:\Users\Admin\AppData\Local\Temp\f.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\webengine.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\MSBuild.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe7⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cres.exe"C:\Users\Admin\AppData\Local\Temp\cres.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe"C:\Users\Admin\AppData\Local\Temp\tibiacast_3_0_38.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD57d0c385b70aaf0cc90753409ef113763
SHA11d9c314fda8e10b144d5a99bb7a1c4be1b51be7d
SHA25667bcb70ec124d342f1581114d0368fead96158a148cf8da05c0207f404fb4a7b
SHA5125efd3ce53d7445423fe7b0ade2080a7cdf79e42b6fe01871be623833394f41607c874b05a8bef0b792d934e24413a3f89aaebc648294c35668d30c5d07f9ebee
-
Filesize
257KB
MD5bccdae521b71140a50bf633cb184e801
SHA1db01324fd4b3fe558a70f740465a1605e0fd14aa
SHA256d7570dfba348316b29f21ccd4e33ad2611869b2278cc3965cc66e4866f1bf993
SHA5126547a63f7e7c1a66dd507fe1bc6cc6b03a9df15f5e3ab371ce95dbaf45dbc70a748927cabdfe3a2ca3427b8e99d9dbd7c0f5bd6ee9a0ef3f58bd594d058d56ab
-
Filesize
232KB
MD5c3fda9f623a64602ebb02d5cdbc39648
SHA1598d8ebd6a63b405fd80db20457499ddc51c0071
SHA25667a992609c637d8b416734ca1077e975015ab3bcf16f19b375e22c5878be07bc
SHA512b1db4cb2b59d5306da9c4eb8ba091c9e32276046671dce3b9e994acd7e87bbd1a99ca18ed63156f59886f37e0f4a5df6613f2332103b7a952a4e095544f44eaf
-
C:\Users\Admin\AppData\Roaming\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh\f0w8uhy98yur9c8qy38cy82yrc280quafu89uya89dh.txt
Filesize29B
MD5af624ec478d796f3e708453ffc23d96a
SHA15bc437a06da06b6e228590d1c472d51dcfbc2701
SHA2566c2477e2514e0fa35d850996d343c1af9cee9b8b34559f63df403b3df03cbb8a
SHA5128f2dc710c72edbfc01ca3ae706221c0594183819e61d7cf14fbe03e720123694af072100469845bf05849bbd7d983b5933eddc2963a079d607c65c6511384407
-
Filesize
98KB
MD5df69062cc95628560fe90f40759be1f1
SHA1ec1dfb0ca85753129e8bab94d83137ab70eb5bea
SHA256aa798d45ed5c948fef634e0a8fe1893ca1f68569a52b41bf4152231b334ea382
SHA5122d87b6e753bc5b94590d02c35504aef1b95d6c9db866bcdee738a7c2f10fd68370f80b07c75ed285e5c3da9c77f46f0b6f7b8f69316856a1f75f8a172af40aa1
-
Filesize
183KB
MD550f5edc93e9565a0dcc86a1b1bbf22df
SHA1158af3b4d8a442e9b3778f01d4ae8f8ea92783c9
SHA256bb7e3f6c0ebe2720e2e79bc9a6972aec7722a48807799d7b76282e36dfd54182
SHA5127ba6c28261d3f26894121f1fb670cce16df99a8c91fc796c3ca0c9c8df91475d4f3ffc9dcb08d2611f6881a86f75120abec3ceb394011d2ae61cdb3b7e013af1
-
Filesize
8KB
MD58117d80b0e093b8a22808439e98f8438
SHA195e85605a119569be1171e738ab1933d72b4d4ac
SHA256e1d07433984dc20260f212e464fcdd75e0cca098b4c40d9d940ad71995e74699
SHA512bef89879f3b5e3b9a3cad130ef33ca6d9a6b55e0b47dd6c47fd94efb343bf9b5d904bdccc52e2416ac68d12a1077102a2015fd8c9f92defcb83514f0d10e06a3