Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 23:04
Behavioral task
behavioral1
Sample
fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
fd5264cc18e3667fc791b47fca75a7ae
-
SHA1
a38aba26dd142be6aab2605a38e523cd17bc318b
-
SHA256
cded0d1fb8f8892a03c3e345491b91a6a74d478b15d0b944ee1577d410c445ac
-
SHA512
0ca8cf9781660f26fdce5b02637146c2f6fe763c3c6dc0f6c807649f987a2fc6026a1bc315fc6bfe25789cf96af60f257c4ce1d19453e07dfdec8b2ea85936b6
-
SSDEEP
49152:XXLQ2SbDJKQvvwV968vqeyyt4j6p+kW1OMzlij8HVT:XbQPbDJKr/vF+j66ONYHx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" SERVER.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SERVER.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" SERVER.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} SERVER.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ SERVER.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" SERVER.EXE -
resource yara_rule behavioral1/files/0x00070000000173a7-75.dat aspack_v212_v242 -
Executes dropped EXE 4 IoCs
pid Process 2884 OIIIII.EXE 284 SERVER.EXE 2428 fservice.exe 764 services.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine OIIIII.EXE -
Loads dropped DLL 7 IoCs
pid Process 284 SERVER.EXE 284 SERVER.EXE 764 services.exe 764 services.exe 2428 fservice.exe 284 SERVER.EXE 1660 WerFault.exe -
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x00000000005D1000-memory.dmp themida behavioral1/memory/2504-7-0x0000000000400000-0x00000000005D1000-memory.dmp themida behavioral1/memory/2504-6-0x0000000000400000-0x00000000005D1000-memory.dmp themida behavioral1/files/0x0008000000016c51-20.dat themida behavioral1/memory/2504-25-0x0000000000400000-0x00000000005D1000-memory.dmp themida behavioral1/memory/2884-24-0x0000000000400000-0x0000000000514000-memory.dmp themida behavioral1/memory/2504-22-0x00000000050E0000-0x00000000051F4000-memory.dmp themida behavioral1/memory/2884-31-0x0000000000400000-0x0000000000514000-memory.dmp themida behavioral1/memory/2884-35-0x0000000000400000-0x0000000000514000-memory.dmp themida behavioral1/memory/2884-36-0x0000000000400000-0x0000000000514000-memory.dmp themida behavioral1/memory/2884-44-0x0000000000400000-0x0000000000514000-memory.dmp themida behavioral1/memory/2884-99-0x0000000004AD0000-0x0000000004CCC000-memory.dmp themida -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ SERVER.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fservice.exe SERVER.EXE File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe SERVER.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 2884 OIIIII.EXE -
resource yara_rule behavioral1/files/0x0007000000016cec-40.dat upx behavioral1/memory/284-47-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2884-46-0x0000000004AD0000-0x0000000004CCC000-memory.dmp upx behavioral1/memory/2428-61-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/764-73-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/2428-93-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/284-95-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral1/memory/764-100-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\OIIIII.EXE fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe File created C:\Windows\SERVER.EXE OIIIII.EXE File created C:\Windows\system\sservice.exe SERVER.EXE File opened for modification C:\Windows\system\sservice.exe SERVER.EXE File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\GODOFREDO.JPG fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe File created C:\Windows\CSERVER.EXE OIIIII.EXE File created C:\Windows\services.exe fservice.exe File created C:\Windows\COIIIII.EXE fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe File created C:\Windows\SERVER.EXE.bat SERVER.EXE File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\CGODOFREDO.JPG fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe File opened for modification C:\Windows\GODOFREDO.JPG DllHost.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1660 764 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVER.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OIIIII.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 2884 OIIIII.EXE 764 services.exe 764 services.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2800 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 764 services.exe 764 services.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2884 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2884 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2884 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2884 2504 fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe 31 PID 2884 wrote to memory of 284 2884 OIIIII.EXE 32 PID 2884 wrote to memory of 284 2884 OIIIII.EXE 32 PID 2884 wrote to memory of 284 2884 OIIIII.EXE 32 PID 2884 wrote to memory of 284 2884 OIIIII.EXE 32 PID 284 wrote to memory of 2428 284 SERVER.EXE 33 PID 284 wrote to memory of 2428 284 SERVER.EXE 33 PID 284 wrote to memory of 2428 284 SERVER.EXE 33 PID 284 wrote to memory of 2428 284 SERVER.EXE 33 PID 2428 wrote to memory of 764 2428 fservice.exe 34 PID 2428 wrote to memory of 764 2428 fservice.exe 34 PID 2428 wrote to memory of 764 2428 fservice.exe 34 PID 2428 wrote to memory of 764 2428 fservice.exe 34 PID 764 wrote to memory of 1684 764 services.exe 35 PID 764 wrote to memory of 1684 764 services.exe 35 PID 764 wrote to memory of 1684 764 services.exe 35 PID 764 wrote to memory of 1684 764 services.exe 35 PID 764 wrote to memory of 1644 764 services.exe 36 PID 764 wrote to memory of 1644 764 services.exe 36 PID 764 wrote to memory of 1644 764 services.exe 36 PID 764 wrote to memory of 1644 764 services.exe 36 PID 284 wrote to memory of 2916 284 SERVER.EXE 39 PID 284 wrote to memory of 2916 284 SERVER.EXE 39 PID 284 wrote to memory of 2916 284 SERVER.EXE 39 PID 284 wrote to memory of 2916 284 SERVER.EXE 39 PID 1684 wrote to memory of 492 1684 NET.exe 40 PID 1684 wrote to memory of 492 1684 NET.exe 40 PID 1684 wrote to memory of 492 1684 NET.exe 40 PID 1684 wrote to memory of 492 1684 NET.exe 40 PID 1644 wrote to memory of 1044 1644 NET.exe 41 PID 1644 wrote to memory of 1044 1644 NET.exe 41 PID 1644 wrote to memory of 1044 1644 NET.exe 41 PID 1644 wrote to memory of 1044 1644 NET.exe 41 PID 764 wrote to memory of 1660 764 services.exe 43 PID 764 wrote to memory of 1660 764 services.exe 43 PID 764 wrote to memory of 1660 764 services.exe 43 PID 764 wrote to memory of 1660 764 services.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd5264cc18e3667fc791b47fca75a7ae_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\OIIIII.EXE"C:\Windows\OIIIII.EXE"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SERVER.EXE"C:\Windows\SERVER.EXE"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\services.exeC:\Windows\services.exe -XP5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\NET.exeNET STOP srservice6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice7⤵
- System Location Discovery: System Language Discovery
PID:492
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc7⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 5726⤵
- Loads dropped DLL
- Program crash
PID:1660
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\SERVER.EXE.bat4⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5f3d51d16edc99bf0d78b8bebb03f6fb1
SHA162a50b6fa9f8cd2876b8c1d45f83e631efcb577e
SHA256d2f3fdfa6f95e24490ec7c8ce7adf6e936e89cbe0ba79e42c85a0ccabded541d
SHA51250b12ac00eec861306a498c3d52433308a8471798ad7509f628201eac07cbe6ca780af8f823e0865e7edc84ed5a15bcdd4027e15a16bc0ff055e597c5270eb6e
-
Filesize
1.1MB
MD5b84e643b3bbf13bfa6fae155c75d99f1
SHA18435932b805df10a26b4b8695bd2fd45e4e178e2
SHA2561b9fe9aafe0ab40eeeb70257fdd0f3de9d763c21fa14e1d8f9fcea5a65476a02
SHA5120f630a288cf76fb988d6b54ccebd44c550f77b77f1cf67f52d7e46340206009a4b084cac079a53037258931845e7c7e8ffe0a56b087a9f17d42d4daac39f3a71
-
Filesize
342KB
MD52d23e6ae050ea09c1031e59421ac606e
SHA161a88117a4f81ba70a5d4cfe605e2008b6ea224c
SHA256e96793dca35c3418a08a63d7e7b4f65ba1b80dc2c9347f58ce8a53bc479d97d5
SHA5126f50229adf442723a4c3836b5cbcd4f80c5b67897f0a973ea58e3d661c3cea1fd6ee01177401edfecdf25e5b71e91df71e5f8c3146260cc738b47ce16e25f2fb
-
Filesize
83B
MD5fa015dd17dd0ed6c4c19b44179c47aed
SHA1b36624f479515e7190ba7fec0ccf7673ed1914d7
SHA256b4d38f4a07fc0709a4cb4e8e3c3e48deec83e1b4f002b051469b421f1bef7d89
SHA512d1096038e78bd3256eb4f4133d389d659c381a25173acb454dcffc113f1b1895436c72f502eaccd32e43d717aa46046ad65ad92d953f11e449f4a40ab765bb07
-
Filesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
Filesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066