Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 07:18
Behavioral task
behavioral1
Sample
fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe
-
Size
295KB
-
MD5
fbc7518bbfc4711c6ae1972891dbe7c6
-
SHA1
ba97f5844951faa501eca586b7e5bf62b1a87667
-
SHA256
cd57d3a1736fa1a9a7fc25c8d3911a076d5ce1b65876cb65695d0a00bcec4452
-
SHA512
971204ff507a2fd479a767536db0fa6ca28a5805c6e632c4c020dd59b351c6457a0b76c5104304d38369bffcc0bc1a49e5fc88b87c5aaebd76de8285ac5d7985
-
SSDEEP
3072:uOXpHv1O0dCoutpmN32wePesy9B10l4LGIkTMjr7bY3SK9ydtL7qm8GmNCcEmAYs:XpvCoSwLLlqM/Y876m8aqWVZuo
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 328 attrib.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wifi Tecnhologies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mssgnr.exe" reg.exe -
resource yara_rule behavioral1/memory/2748-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2748-24-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2748-165-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy cmd.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2872 reg.exe -
Runs .reg file with regedit 1 IoCs
pid Process 1412 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2648 2748 fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2648 2748 fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2648 2748 fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2648 2748 fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe 31 PID 2648 wrote to memory of 2832 2648 cmd.exe 33 PID 2648 wrote to memory of 2832 2648 cmd.exe 33 PID 2648 wrote to memory of 2832 2648 cmd.exe 33 PID 2648 wrote to memory of 2832 2648 cmd.exe 33 PID 2648 wrote to memory of 2400 2648 cmd.exe 34 PID 2648 wrote to memory of 2400 2648 cmd.exe 34 PID 2648 wrote to memory of 2400 2648 cmd.exe 34 PID 2648 wrote to memory of 2400 2648 cmd.exe 34 PID 2648 wrote to memory of 2872 2648 cmd.exe 35 PID 2648 wrote to memory of 2872 2648 cmd.exe 35 PID 2648 wrote to memory of 2872 2648 cmd.exe 35 PID 2648 wrote to memory of 2872 2648 cmd.exe 35 PID 2648 wrote to memory of 2792 2648 cmd.exe 36 PID 2648 wrote to memory of 2792 2648 cmd.exe 36 PID 2648 wrote to memory of 2792 2648 cmd.exe 36 PID 2648 wrote to memory of 2792 2648 cmd.exe 36 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2548 2792 cmd.exe 38 PID 2792 wrote to memory of 2548 2792 cmd.exe 38 PID 2792 wrote to memory of 2548 2792 cmd.exe 38 PID 2792 wrote to memory of 2548 2792 cmd.exe 38 PID 2648 wrote to memory of 2284 2648 cmd.exe 39 PID 2648 wrote to memory of 2284 2648 cmd.exe 39 PID 2648 wrote to memory of 2284 2648 cmd.exe 39 PID 2648 wrote to memory of 2284 2648 cmd.exe 39 PID 2648 wrote to memory of 2660 2648 cmd.exe 40 PID 2648 wrote to memory of 2660 2648 cmd.exe 40 PID 2648 wrote to memory of 2660 2648 cmd.exe 40 PID 2648 wrote to memory of 2660 2648 cmd.exe 40 PID 2660 wrote to memory of 1896 2660 cmd.exe 41 PID 2660 wrote to memory of 1896 2660 cmd.exe 41 PID 2660 wrote to memory of 1896 2660 cmd.exe 41 PID 2660 wrote to memory of 1896 2660 cmd.exe 41 PID 2660 wrote to memory of 2580 2660 cmd.exe 42 PID 2660 wrote to memory of 2580 2660 cmd.exe 42 PID 2660 wrote to memory of 2580 2660 cmd.exe 42 PID 2660 wrote to memory of 2580 2660 cmd.exe 42 PID 2648 wrote to memory of 2820 2648 cmd.exe 43 PID 2648 wrote to memory of 2820 2648 cmd.exe 43 PID 2648 wrote to memory of 2820 2648 cmd.exe 43 PID 2648 wrote to memory of 2820 2648 cmd.exe 43 PID 2648 wrote to memory of 2536 2648 cmd.exe 44 PID 2648 wrote to memory of 2536 2648 cmd.exe 44 PID 2648 wrote to memory of 2536 2648 cmd.exe 44 PID 2648 wrote to memory of 2536 2648 cmd.exe 44 PID 2536 wrote to memory of 2544 2536 cmd.exe 45 PID 2536 wrote to memory of 2544 2536 cmd.exe 45 PID 2536 wrote to memory of 2544 2536 cmd.exe 45 PID 2536 wrote to memory of 2544 2536 cmd.exe 45 PID 2536 wrote to memory of 3056 2536 cmd.exe 46 PID 2536 wrote to memory of 3056 2536 cmd.exe 46 PID 2536 wrote to memory of 3056 2536 cmd.exe 46 PID 2536 wrote to memory of 3056 2536 cmd.exe 46 PID 2648 wrote to memory of 2836 2648 cmd.exe 47 PID 2648 wrote to memory of 2836 2648 cmd.exe 47 PID 2648 wrote to memory of 2836 2648 cmd.exe 47 PID 2648 wrote to memory of 2836 2648 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2284 attrib.exe 2820 attrib.exe 2592 attrib.exe 328 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbc7518bbfc4711c6ae1972891dbe7c6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\F586.tmp\antimalware.bat" "2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wifi Tecnhologies" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mssgnr.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f3⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "4⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\find.exefind "prefs.js"4⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "4⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\SysWOW64\find.exefind "prefs.js"4⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s | find /i "java.policy"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir /b /s "4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\find.exefind /i "java.policy"4⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\" /b /s | find "mozalloc.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "C:\Program Files (x86)\" /b /s "4⤵
- System Location Discovery: System Language Discovery
PID:2868
-
-
C:\Windows\SysWOW64\find.exefind "mozalloc.dll"4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Roaming\Admin.reg"3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1412
-
-
C:\Windows\SysWOW64\attrib.exeAttrib -r -s -h C:\Windows\system32\drivers\etc\hosts3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2592
-
-
C:\Windows\SysWOW64\attrib.exeAttrib +r +h C:\Windows\system32\drivers\etc\hosts3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:328
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5a047b9925bfdbf4fd449fd81a72632f3
SHA1b03a2a30d5da0d8812edbbf6f76169ddd83edc51
SHA256768d77e9c377b4742259ab797c03901db2dfcd41f14c9c0dfbac11c4589c0822
SHA512cf072e7e1f55c668d79048bb0b4249a2e6a3f86921960c722d62a1b2416cd9d1bc4766181b1670cb5e713b8d8875922c1b41741c52170f646a29e506eb700cd6
-
Filesize
841B
MD52e4d75b0fd4e7806f98459faa2e526e5
SHA126ce7c85a08542539c891a7fab03317d2b4109b9
SHA256ec76a4fb3ab546dcc49ba135d3e3bde64d185b484d487d26ccb867faf203b6c3
SHA512f721af6f4b4e1d419d258987c6de4b310b6998ec27a43093239a7e7e0922df56cb91898675024508702f19494fff4d8d1d61c4ae363fd579914312d371f9c00d
-
Filesize
6KB
MD567a335ac2ca2e72f0187e687b4be054d
SHA121a687a07cde31feb8d298ebf6c4dd8cd43fc3f0
SHA256a892f07aa263ff196610439a0a309abbf17e0b1a236d60338e3762cbd4eacbda
SHA5120afc36883575171ef393a134d8b5fbae66e84a9aea030058e64c2f100e6bad63d2d313e402a0b4b0c7121dc62af8a9aa6940540159bbb29743464e2ba43e636b