Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe
-
Size
99KB
-
MD5
f653945662ad61108c61c654f473b4d7
-
SHA1
f29fc3bbaebcea2752e247b317ca582d51715c9d
-
SHA256
462d7f464400677a6c746363e9b64895442a24dcb8a4b951609dce3aa635a0b9
-
SHA512
0842972831a6b9508f870b3a194b9fcfbad3565f533066a193553a4a07d1b1db96493dbbe702b9f75b78f8d0671082d1f59756bdd825283abb921cc491d1f67c
-
SSDEEP
3072:BixUnJoxphJ7dGz8K5uFd5Y7+CVukbkmJjbux7i9:BixqoxL1HKEFG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1932 x2z8.exe -
Executes dropped EXE 2 IoCs
pid Process 2132 x2z8.exe 1932 x2z8.exe -
Loads dropped DLL 3 IoCs
pid Process 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 2132 x2z8.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe File opened for modification \??\PHYSICALDRIVE0 x2z8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2064 set thread context of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2132 set thread context of 1932 2132 x2z8.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2z8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x2z8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1932 x2z8.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2064 wrote to memory of 2572 2064 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2132 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2132 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2132 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2132 2572 f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe 31 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32 PID 2132 wrote to memory of 1932 2132 x2z8.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f653945662ad61108c61c654f473b4d7_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\x2z8.exeC:\Users\Admin\AppData\Local\Temp\\x2z8.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\x2z8.exe"C:\Users\Admin\AppData\Local\Temp\x2z8.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:568
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5c3632cd9e387cab56bf7e14749ec4329
SHA1b8af787e436df5ced3f0eb23ebd64719a8abb65f
SHA25635f5a078950ee6ec2348c4991b5a5ae47661ec6f8daf388d21138d837edcd85f
SHA512b72bbbbc1365645cb7044cc49d68e1e545b37b816af18bc3d341d13a6551452a3f9ddfe6b2d5ee33d6a3265a8081a2750fb0dd128eda7c72e70ab78c1d1c399e
-
Filesize
99KB
MD5f653945662ad61108c61c654f473b4d7
SHA1f29fc3bbaebcea2752e247b317ca582d51715c9d
SHA256462d7f464400677a6c746363e9b64895442a24dcb8a4b951609dce3aa635a0b9
SHA5120842972831a6b9508f870b3a194b9fcfbad3565f533066a193553a4a07d1b1db96493dbbe702b9f75b78f8d0671082d1f59756bdd825283abb921cc491d1f67c