Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe
-
Size
476KB
-
MD5
f61a0991e1a2591c39629f8f51954079
-
SHA1
2081e35f0cdd2411bb7c53b7833e1eb21221bec3
-
SHA256
dd80ea0d7cab57580251088c44c6fe5759ef696eb1577f8fd21cd9310b5afa1c
-
SHA512
bac1e6e1621811410d17c915fa92500b6d7926fea95fa4c5db54dbe0dfe743da38851cafbc900b4d51d5cf9ce864ab012f74f7caf055c8876f88a151e16917d1
-
SSDEEP
12288:M3nZMhJ+ubNZ7dCtvFjwdr3F9FWuxU+PSkJBYDIl+OqJ+hOye:M3nZqfbxCtvyx3FvWoUiJOIHVh+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2516 file.exe 2784 91sfk.exe -
Loads dropped DLL 7 IoCs
pid Process 2152 WScript.exe 2152 WScript.exe 2152 WScript.exe 2516 file.exe 2516 file.exe 2516 file.exe 2516 file.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2784 set thread context of 2800 2784 91sfk.exe 33 PID 2800 set thread context of 2936 2800 csc.exe 34 -
resource yara_rule behavioral1/memory/2800-35-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-33-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-38-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-39-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-42-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-41-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-40-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-60-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-61-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-62-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-63-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-64-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-65-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-66-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-67-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-68-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-69-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-70-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-71-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-72-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-73-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2800-74-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91sfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe 2800 csc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 1944 wrote to memory of 2152 1944 f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe 30 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2152 wrote to memory of 2516 2152 WScript.exe 31 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2516 wrote to memory of 2784 2516 file.exe 32 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2784 wrote to memory of 2800 2784 91sfk.exe 33 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2800 wrote to memory of 2936 2800 csc.exe 34 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35 PID 2936 wrote to memory of 2708 2936 RegAsm.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f61a0991e1a2591c39629f8f51954079_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\6mmqw\88g4m.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\6mmqw\file.exe"C:\Users\Admin\6mmqw\file.exe" -p12343⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe"C:\Users\Admin\AppData\Roaming\6mmqw\91sfk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"6⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp"7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90B
MD54005c5add74a635ebcd654ba7cf51ac9
SHA1e84a7d72f080e032a55b3ccd61603bac82e8fb73
SHA256af03f80def60fe776c9267a192e662da9716b59469e830f7698651e52cf0fd53
SHA5120f554ff22bcfba2336e5bf809aec1607e628767c72e1ae81001e5b80351bfab8fc86b85bb2e8063e1f5d955c3e18e3f51cf21875760de57a68db88e926f86030
-
Filesize
318KB
MD58b03e059b46c6ef0bc30a4a9d7eda131
SHA18d51e49dd267b5cf004db0fcd7ffe0f947fe4402
SHA2566560160f4dec287992891ae93a91313085cf088364c844ffb8b53a0b5e63ade0
SHA51233a637a240e438b1f7951946687a769bb09e35db10084708125184a5556c5ce4b1515e9618eb1a152ec48cfd9a590585080f220e3dc3ef79a2f61552a4aec9b1
-
Filesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
Filesize
618KB
MD52f29a20e1bdeb519c5247108baade53e
SHA180557ca8b51b252d6aa3fcbe03154df70a3e8b92
SHA2566cc01ffcf664ac1552487f7287e87a2637ae196f36c30aa0b23192f22e572214
SHA5128cb242314b6c36bb5455e1db7ec9590f0f47bda087eaa704bbdc16fa09d1ac91880a6126eb2b3fff1f115759299e8ca7f6ba367c72b915b5076b9d014c5a5551
-
Filesize
42KB
MD5ea91e005c6920683a4526839f7745482
SHA1432058655709f00958f287b6413ed5750ff69577
SHA2568be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449
SHA512971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc