Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 03:31
Static task
static1
Behavioral task
behavioral1
Sample
fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe
-
Size
284KB
-
MD5
fdb7408c370b3778fd7cffcb02116ba1
-
SHA1
d597e2d622017f2091b7abb657b85498ae12f8ca
-
SHA256
2a96a8f20bb83a4bdcb425fbd15b8217e941f030951d230e790bed786d42758e
-
SHA512
c996a0ee7e6f60783c4e15d4e039514601cd5ad8ea2d3943b14caa2a42649b578bada3c1cbd0a964849383118107e3c3ed358b49300ea69173ccbbdaffebb0b2
-
SSDEEP
6144:V0lJsa0dPA4NNXw0hlx1qepW2cV4/LoDgCJM9/fACv:+DzklN9zx1qGMV4/LT79Zv
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1744 52A2.tmp -
Loads dropped DLL 2 IoCs
pid Process 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\F8C.exe = "C:\\Program Files (x86)\\LP\\EA3C\\F8C.exe" fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2408-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2408-11-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2408-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1824-17-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1824-16-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2408-121-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1448-124-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1448-126-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2408-301-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2408-305-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\EA3C\F8C.exe fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\EA3C\F8C.exe fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\EA3C\52A2.tmp fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 52A2.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 748 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2428 msiexec.exe Token: SeTakeOwnershipPrivilege 2428 msiexec.exe Token: SeSecurityPrivilege 2428 msiexec.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe Token: SeShutdownPrivilege 748 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe 748 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1824 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 32 PID 2408 wrote to memory of 1824 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 32 PID 2408 wrote to memory of 1824 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 32 PID 2408 wrote to memory of 1824 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 32 PID 2408 wrote to memory of 1448 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 34 PID 2408 wrote to memory of 1448 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 34 PID 2408 wrote to memory of 1448 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 34 PID 2408 wrote to memory of 1448 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 34 PID 2408 wrote to memory of 1744 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 37 PID 2408 wrote to memory of 1744 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 37 PID 2408 wrote to memory of 1744 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 37 PID 2408 wrote to memory of 1744 2408 fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\C2379\ACAEA.exe%C:\Users\Admin\AppData\Roaming\C23792⤵PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fdb7408c370b3778fd7cffcb02116ba1_JaffaCakes118.exe startC:\Program Files (x86)\7907B\lvvm.exe%C:\Program Files (x86)\7907B2⤵PID:1448
-
-
C:\Program Files (x86)\LP\EA3C\52A2.tmp"C:\Program Files (x86)\LP\EA3C\52A2.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD52dee27ea64735073478fab7493762a6e
SHA190b7e8c63ff61fdfad8c2da484ce6ffc3c063d74
SHA256153cf3dab669512ab3fbf0a2ca588d463a95368f20e2dea5454f5f35de4443da
SHA512d3e868691ccd9cd9fe28eb65815642037cfa9871ec82743d1ef575526677d8451af58f3197570d268eea64bb8958dcd2787fce75aa99829079419b350b8c43d5
-
Filesize
600B
MD58a436c51395b4fe30722fd74c95e9553
SHA12cb3b5c9eb02b72672ba33b4c3b883f1afb12049
SHA256d2a7e68205c0a40df7e40446fa3ab9f6367166658921ac139b2701633f072f2b
SHA5129d62db5f74a988ee2137ce9dfcc0bca9a33a17fe1ab4e66325a6255bd5b94435da1dce2020e437c4372fba5d5569037f4c9257bb1bf45db329a1758361a299ba
-
Filesize
1KB
MD5a6b56ff41abd1b5f3dcec7c20f7d978a
SHA133b2c5f8d1353ca446d30bd241374499459e9b18
SHA2568b593678b2aaa584f0ff61a5f4c6af7d63817add011fb72135afddbf5f82433d
SHA5128e57be0a114b7354590932ed0d1d9c6c87af6b88f17f3ee5db876947360f2a8180527f92a8787f22162443f0523b96f81798e3a1636b0d43c22b895dc7938eb0
-
Filesize
101KB
MD51cec7ecd2bbbcc39e9dbcab83d7d67cf
SHA113a0cb757993e63c2b360c9ce1f17a3aac342ffe
SHA2565d767de0b9378b94cf82683458078a385989098464566fbb92b48c4bab435d20
SHA5126fd95f2fd2918ae66b420044fc1da82b1724d615c6d71cae2533a37e0851a99f20aaf7b360fa5059b6b67b414dbc7e023f1f5e86eab25f20ade834e501e6a39c