Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
febce9dd232edef84421fddcced6333c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
febce9dd232edef84421fddcced6333c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
febce9dd232edef84421fddcced6333c_JaffaCakes118.exe
-
Size
348KB
-
MD5
febce9dd232edef84421fddcced6333c
-
SHA1
e0d243d149472ad327a632437646a23dc255b9ad
-
SHA256
66e30e36ce6fdcc08145b3397f6d16b68d7982467dff0358df205f225429bc24
-
SHA512
fe7a861940003fd0c122b07aa9bf1dedad449f4997e4c7b756c480753a791026e5600de1472b1afd94c9c863048a81f9592f76ed651537c6a73e961d19bd76f8
-
SSDEEP
6144:k7DDeAlkoCGv2Uso35Uo2lQQ0GLSja8h8rUY0FFNyLlgQ/jI61UCz3yJhVN7wzrb:EDDGRslHGDzSjaCrNypjJOAKh0zrb
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\atmapi.sys report.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\VMware, Inc.\VMware Tools report.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2972 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2416 report.exe -
Loads dropped DLL 3 IoCs
pid Process 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 2416 report.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\31A9B33367B14595D678F27C2AE44B3698CA19553A964D68BF3A19D07D2A45A1 = "\"c:\\users\\admin\\appdata\\roaming\\microsoft\\internet explorer\\report.exe\"" febce9dd232edef84421fddcced6333c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\31A9B33367B14595D678F27C2AE44B3698CA19553A964D68BF3A19D07D2A45A1 = "\"c:\\users\\admin\\appdata\\roaming\\microsoft\\internet explorer\\report.exe\"" report.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language febce9dd232edef84421fddcced6333c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language report.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2416 report.exe Token: SeIncreaseQuotaPrivilege 2064 WMIC.exe Token: SeSecurityPrivilege 2064 WMIC.exe Token: SeTakeOwnershipPrivilege 2064 WMIC.exe Token: SeLoadDriverPrivilege 2064 WMIC.exe Token: SeSystemProfilePrivilege 2064 WMIC.exe Token: SeSystemtimePrivilege 2064 WMIC.exe Token: SeProfSingleProcessPrivilege 2064 WMIC.exe Token: SeIncBasePriorityPrivilege 2064 WMIC.exe Token: SeCreatePagefilePrivilege 2064 WMIC.exe Token: SeBackupPrivilege 2064 WMIC.exe Token: SeRestorePrivilege 2064 WMIC.exe Token: SeShutdownPrivilege 2064 WMIC.exe Token: SeDebugPrivilege 2064 WMIC.exe Token: SeSystemEnvironmentPrivilege 2064 WMIC.exe Token: SeRemoteShutdownPrivilege 2064 WMIC.exe Token: SeUndockPrivilege 2064 WMIC.exe Token: SeManageVolumePrivilege 2064 WMIC.exe Token: 33 2064 WMIC.exe Token: 34 2064 WMIC.exe Token: 35 2064 WMIC.exe Token: SeDebugPrivilege 2416 report.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 2416 report.exe 2416 report.exe 2416 report.exe 2416 report.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 664 wrote to memory of 2416 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 29 PID 664 wrote to memory of 2416 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 29 PID 664 wrote to memory of 2416 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 29 PID 664 wrote to memory of 2416 664 febce9dd232edef84421fddcced6333c_JaffaCakes118.exe 29 PID 2416 wrote to memory of 2972 2416 report.exe 30 PID 2416 wrote to memory of 2972 2416 report.exe 30 PID 2416 wrote to memory of 2972 2416 report.exe 30 PID 2416 wrote to memory of 2972 2416 report.exe 30 PID 2416 wrote to memory of 2064 2416 report.exe 33 PID 2416 wrote to memory of 2064 2416 report.exe 33 PID 2416 wrote to memory of 2064 2416 report.exe 33 PID 2416 wrote to memory of 2064 2416 report.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\febce9dd232edef84421fddcced6333c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\febce9dd232edef84421fddcced6333c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe"c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe"2⤵
- Drops file in Drivers directory
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="report" dir=in action=allow program="c:\users\admin\appdata\roaming\microsoft\internet explorer\report.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2972
-
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" path win32_terminalservicesetting where (__Class!="") call setallowtsconnections 13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b32bb2e62ec0b79ef3e3ad3e40b6384d
SHA16e2e0d857aec049b7156fdfdd0a9c4e40bda3b3d
SHA256adca24b27416bf3ffa0333e182fe5c1e825ea23304683efbc5e6099cbe7e7396
SHA5120b37ac8d9ceb89bcd7ae5a98aaa49c907c341e777389463142bee05acf4bc3e5a558f482c93a1dbfc2ce57e8fe3472b880fef75a5ec2eb74b65f4e851177d6d0
-
Filesize
228KB
MD5e433e1a3fd09fd0d3925b0579b3a4583
SHA112e539623e9ec089c4167b8aaa8216db53795187
SHA256dedd653b6d4131a7549378e69d792de1963bd608aa62847bb1959a41c6d9caeb
SHA5120bc2f06baeec1f4993f1a2500ab87693a6e01342793b5ee87907cd8234104454557d097b5f6f3b1ec11849e8f81897eb3c8eed580acae87d248b02bde720f557
-
Filesize
348KB
MD5febce9dd232edef84421fddcced6333c
SHA1e0d243d149472ad327a632437646a23dc255b9ad
SHA25666e30e36ce6fdcc08145b3397f6d16b68d7982467dff0358df205f225429bc24
SHA512fe7a861940003fd0c122b07aa9bf1dedad449f4997e4c7b756c480753a791026e5600de1472b1afd94c9c863048a81f9592f76ed651537c6a73e961d19bd76f8