Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 02:32
Static task
static1
Behavioral task
behavioral1
Sample
fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
-
Size
305KB
-
MD5
fb5500c06ed22a52c1ed34dc2b4c5372
-
SHA1
9a3574f6e77eba9f22aca8bc09a1cc0dadb86009
-
SHA256
8ca4b47ae9a0fad5b1aa4b3a2e368fa0938491945a70b888c5c4114914efe7d6
-
SHA512
e64687367b6ea1d6072d867214f1e59173661b0f62c310ec02097f2b17ff74d8bcdf7fe8c934811b8bd8442c25f7d0d475452e3bbec6b2a7f48343cde02e0df9
-
SSDEEP
6144:5GSztT72Y0SfzinYKTY1SQshfRPVQe1MZkIYSccr7wbstObPECYeixlYGicUn:5Gqh7SSGYsY1UMqMZJYSN7wbstOb8fvY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2532 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 neypor.exe -
Loads dropped DLL 1 IoCs
pid Process 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D9E5F948-3C80-AD4F-E7F9-6BD2C10548CF} = "C:\\Users\\Admin\\AppData\\Roaming\\Ledox\\neypor.exe" neypor.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2868 set thread context of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neypor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe 2156 neypor.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2156 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2156 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2156 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2156 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 28 PID 2156 wrote to memory of 1104 2156 neypor.exe 19 PID 2156 wrote to memory of 1104 2156 neypor.exe 19 PID 2156 wrote to memory of 1104 2156 neypor.exe 19 PID 2156 wrote to memory of 1104 2156 neypor.exe 19 PID 2156 wrote to memory of 1104 2156 neypor.exe 19 PID 2156 wrote to memory of 1156 2156 neypor.exe 20 PID 2156 wrote to memory of 1156 2156 neypor.exe 20 PID 2156 wrote to memory of 1156 2156 neypor.exe 20 PID 2156 wrote to memory of 1156 2156 neypor.exe 20 PID 2156 wrote to memory of 1156 2156 neypor.exe 20 PID 2156 wrote to memory of 1184 2156 neypor.exe 21 PID 2156 wrote to memory of 1184 2156 neypor.exe 21 PID 2156 wrote to memory of 1184 2156 neypor.exe 21 PID 2156 wrote to memory of 1184 2156 neypor.exe 21 PID 2156 wrote to memory of 1184 2156 neypor.exe 21 PID 2156 wrote to memory of 1176 2156 neypor.exe 23 PID 2156 wrote to memory of 1176 2156 neypor.exe 23 PID 2156 wrote to memory of 1176 2156 neypor.exe 23 PID 2156 wrote to memory of 1176 2156 neypor.exe 23 PID 2156 wrote to memory of 1176 2156 neypor.exe 23 PID 2156 wrote to memory of 2868 2156 neypor.exe 27 PID 2156 wrote to memory of 2868 2156 neypor.exe 27 PID 2156 wrote to memory of 2868 2156 neypor.exe 27 PID 2156 wrote to memory of 2868 2156 neypor.exe 27 PID 2156 wrote to memory of 2868 2156 neypor.exe 27 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2532 2868 fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe 29 PID 2156 wrote to memory of 3048 2156 neypor.exe 33 PID 2156 wrote to memory of 3048 2156 neypor.exe 33 PID 2156 wrote to memory of 3048 2156 neypor.exe 33 PID 2156 wrote to memory of 3048 2156 neypor.exe 33 PID 2156 wrote to memory of 3048 2156 neypor.exe 33
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\Ledox\neypor.exe"C:\Users\Admin\AppData\Roaming\Ledox\neypor.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7d5a16e5.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1176
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD514ad625cfe9ee69fe94ecc445feb0a8b
SHA1847c62435eb33b1bb7c093c594c47a011e97823a
SHA2563e578f14f580438a1cf21563c7a4dfe31e23a03d0c6d010363a83121217ad65e
SHA512afa58afb5c269f7080b3aa31555b020b0887dc7f8374406bbb1ea944ef72494c56310174fbf9eb91ad9765033ef7a0828ca2e15a33b5915ad7d64d5a6d88fceb
-
Filesize
305KB
MD56ec4e34729d9e550fcde1918b4209b17
SHA197df85fde5834452bde49926b9d35e07721e7932
SHA256bac97ecd56f3eb53a59a4b9aa33df7a7b5fbe3a8ac484674e3a59aa4ef296dad
SHA512abe6ede9ae80ae79a3154efc2d977080e3ff8c18b2d9c939766eca96445695613a6cf387d95e09ae1ca19b0d0039c92fd1b2740956751475d9d3cea7385e3806