Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 16:14
Static task
static1
Behavioral task
behavioral1
Sample
fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe
-
Size
62KB
-
MD5
fababf22438aec1aaf0a3369babce8a2
-
SHA1
77b5fa4ed2b2830821ec4c1fb536970dc6122108
-
SHA256
f61ad38a058d71dccc6ed18ba2cb065accb4420eef38d39afa94e4068329a9be
-
SHA512
67eea8d25fb068b5fdbf776953df8ccd78a2a9dde52acef027087d772aab87feaf8e8ed6ecd0e53eb9ca57b41e478d4f178ecf807eb00089e2bedb73c4e9a448
-
SSDEEP
768:wfzNyAGva4H7sDGvXSqZtc4HBSw8+CPRR0X5rIVdshMgEN/IuTWl9U7:SyAVDGvXSmnHBSwCORMIdENRG9U7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 852 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3028 panel.exe -
Loads dropped DLL 2 IoCs
pid Process 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\panel = "C:\\Users\\Admin\\AppData\\Roaming\\panel\\panel.exe -b" fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language panel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe 3028 panel.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe Token: SeDebugPrivilege 3028 panel.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 3028 panel.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1716 wrote to memory of 3028 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 31 PID 1716 wrote to memory of 3028 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 31 PID 1716 wrote to memory of 3028 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 31 PID 1716 wrote to memory of 3028 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 31 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 1716 wrote to memory of 852 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 32 PID 1716 wrote to memory of 852 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 32 PID 1716 wrote to memory of 852 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 32 PID 1716 wrote to memory of 852 1716 fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe 32 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21 PID 3028 wrote to memory of 1188 3028 panel.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fababf22438aec1aaf0a3369babce8a2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\panel\panel.exe-b3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Roaming\panel\upd.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fbe3f84e2e75387a01b6abcad115d301
SHA138715105ed8ba2e8e970af3832af045946c5c9d3
SHA256a8514ae40b573c4449d685da219c7a1e1d70d306df14a797b764c7b489aa685f
SHA5122e67b6ba9bd7aa7647db1a952721dfaaf34a929cc4118cee5c3c42f55ae0b0322b3c8ae467e3cda5978a34313a1dcdd2b8395cccb6b1b069e4e7f93502d38563
-
Filesize
62KB
MD5fababf22438aec1aaf0a3369babce8a2
SHA177b5fa4ed2b2830821ec4c1fb536970dc6122108
SHA256f61ad38a058d71dccc6ed18ba2cb065accb4420eef38d39afa94e4068329a9be
SHA51267eea8d25fb068b5fdbf776953df8ccd78a2a9dde52acef027087d772aab87feaf8e8ed6ecd0e53eb9ca57b41e478d4f178ecf807eb00089e2bedb73c4e9a448