Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 20:36
Behavioral task
behavioral1
Sample
032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
General
-
Target
032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe
-
Size
298KB
-
MD5
032c5b719e788e57bb575002fadb563f
-
SHA1
e9209851efd2eea8c3a2a85f2f28cbd47e67f2d1
-
SHA256
a076441a539d9a1275f271ae34ab691a049d41fa8b86289f8e80a6b53ee5fc69
-
SHA512
24bbfc694e04e39b14e7a45877601b7ce1ddab1d1b6668ee1c883fe7e8bdfed96b0c69180bafc6a8d15f130fd82e4f2671f2ecc2d5cd25bf588f82f5899c3a42
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYy:v6Wq4aaE6KwyF5L0Y2D1PqLL
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2988 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\o: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2324-803-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-1153-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-1155-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-2298-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-3449-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-4592-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-5740-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-6889-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-8034-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-9065-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-10217-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-11359-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-12504-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-13655-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-14799-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2988-15947-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral1/memory/2324-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000900000001225f-4.dat upx behavioral1/memory/2988-5-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x0007000000016ca5-66.dat upx behavioral1/memory/2324-803-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-1153-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-1155-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-2298-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-3449-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-4592-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-5740-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-6889-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-8034-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-9065-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-10217-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-11359-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-12504-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-13655-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-14799-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2988-15947-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2988 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe 2988 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2988 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2988 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2988 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2988 2324 032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\032c5b719e788e57bb575002fadb563f_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5ca9021071fd166e2a5e78f0f36c3925c
SHA142c707463f280248f2c68eb9110f3bd5af5c5e2b
SHA2560bf285d8abd9b5af8f0289dc18b70ba7e0cbc29c8670dbbcb58b17842a208554
SHA512bb91b14384ddd22837384cfa9e14a0e61e852b7880b2269344a0b8794cfd4c22a94370f50048f6be0528cba931ac26df935eac29e40f8a7281bcb708b257b7ff
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD50ad38406bf29d9d5a46504885c0ee7ce
SHA1dafb6299a1fdf67712cd409aef1e86ca73542fde
SHA256e776745a3315e43f3bf95b13d5d12158f6cd332671b9b3af53f58fd9635b5c8d
SHA512866de6b5becc6c83f1e3a080d11cde734d9f93c0287ed8aa195ec85b97401ffa1bf0d8044b2c09c6f4697dc7aeb1c7d1c5e68bc9e7487862fc183270ba9a54bf