Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 08:43
Static task
static1
Behavioral task
behavioral1
Sample
fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe
-
Size
728KB
-
MD5
fe29bcf53ea50159802f6370db7f7d19
-
SHA1
f3b20f6a4841e8fbda2123fdd6b97ffabe23b419
-
SHA256
c92c1c794a4a01ada14a4b77d004c809d8add118654139d7c6d9d5fbd080b0d0
-
SHA512
5121516bcfc8697ee9804e8af85571041625b7f31b6bb12f23e0a189188e6e510122666d400290e10d464d4bf728543989303b26ece3a5cf732a582075d15ec1
-
SSDEEP
12288:z2/I3CMZC4u8YBbY5zgHWHmt8qM3mmcKDgGeItoEc9GspWZhASRXHYnrmM:z2QSmCrmgHCmKqM3kKlFtov9GsqRXHYP
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2372 netsh.exe 2340 netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2396 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2396 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2396 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2396 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2408 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2408 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2408 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2408 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 32 PID 2528 wrote to memory of 2964 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2964 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2964 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 34 PID 2528 wrote to memory of 2964 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 34 PID 2964 wrote to memory of 2372 2964 cmd.exe 36 PID 2964 wrote to memory of 2372 2964 cmd.exe 36 PID 2964 wrote to memory of 2372 2964 cmd.exe 36 PID 2964 wrote to memory of 2372 2964 cmd.exe 36 PID 2528 wrote to memory of 2472 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 37 PID 2528 wrote to memory of 2472 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 37 PID 2528 wrote to memory of 2472 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 37 PID 2528 wrote to memory of 2472 2528 fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe 37 PID 2472 wrote to memory of 2340 2472 cmd.exe 39 PID 2472 wrote to memory of 2340 2472 cmd.exe 39 PID 2472 wrote to memory of 2340 2472 cmd.exe 39 PID 2472 wrote to memory of 2340 2472 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe29bcf53ea50159802f6370db7f7d19_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\DirectDownloader"2⤵
- System Location Discovery: System Language Discovery
PID:2396
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ifms > "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\DirectDownloader\directdownloader.exe" "DirectDownloader" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2340
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1