Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe
-
Size
444KB
-
MD5
07f3f29eeb7728a9f073f42e13cec4ee
-
SHA1
da7cb0eb9edb5e5506c0ee4c2fe4efbb54e6148b
-
SHA256
9b894e375e381a4db74bdf50059e435add2901193022767717ec8fcd71bbda56
-
SHA512
aa95e0df77854735e7d8395ba5eb5e1e7a3a188a92f87e5da039dd79ad363d2f515380a7ef9eb230ed03ad1dd5558467e3fbd101d8b32b3a99dcfdc530352de6
-
SSDEEP
6144:Qt5rjvFcipzmXQBCgYkkWcS7n6TjE4ukga/lLhYYIB6Rhwq406MQaYDYha6ib3u/:QnXTXYs9KSRZdMUyKqDhrixh8
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2548 cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 2212 vojo9rhtvxr9te30s60f.exe 2736 gingdevices.exe 2768 czmisc.exe 2776 gingdevices.exe 1984 zxieinstal.exe 2288 czmisc.exe -
Loads dropped DLL 16 IoCs
pid Process 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 2212 vojo9rhtvxr9te30s60f.exe 2212 vojo9rhtvxr9te30s60f.exe 2736 gingdevices.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 2288 czmisc.exe 2288 czmisc.exe 2288 czmisc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gingdevices = "C:\\Program Files (x86)\\Windows Photo Viewer\\gingdevices.exe" gingdevices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gingdevices = "C:\\Program Files (x86)\\Windows Photo Viewer\\gingdevices.exe" vojo9rhtvxr9te30s60f.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe vojo9rhtvxr9te30s60f.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe vojo9rhtvxr9te30s60f.exe File created C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe gingdevices.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe gingdevices.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe czmisc.exe File created C:\Program Files (x86)\Internet Explorer\zxieinstal.exe czmisc.exe File opened for modification C:\Program Files (x86)\Internet Explorer\zxieinstal.exe czmisc.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe gingdevices.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vojo9rhtvxr9te30s60f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zxieinstal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gingdevices.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language czmisc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gingdevices.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main gingdevices.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 gingdevices.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 2212 vojo9rhtvxr9te30s60f.exe 2212 vojo9rhtvxr9te30s60f.exe 2212 vojo9rhtvxr9te30s60f.exe 2736 gingdevices.exe 2736 gingdevices.exe 2736 gingdevices.exe 2768 czmisc.exe 2768 czmisc.exe 2768 czmisc.exe 2776 gingdevices.exe 2776 gingdevices.exe 2776 gingdevices.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 1984 zxieinstal.exe 2288 czmisc.exe 2288 czmisc.exe 2288 czmisc.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2212 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 30 PID 1736 wrote to memory of 2212 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 30 PID 1736 wrote to memory of 2212 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 30 PID 1736 wrote to memory of 2212 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 30 PID 1736 wrote to memory of 2548 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 31 PID 1736 wrote to memory of 2548 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 31 PID 1736 wrote to memory of 2548 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 31 PID 1736 wrote to memory of 2548 1736 07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe 31 PID 2548 wrote to memory of 2348 2548 cmd.exe 33 PID 2548 wrote to memory of 2348 2548 cmd.exe 33 PID 2548 wrote to memory of 2348 2548 cmd.exe 33 PID 2548 wrote to memory of 2348 2548 cmd.exe 33 PID 2212 wrote to memory of 2736 2212 vojo9rhtvxr9te30s60f.exe 34 PID 2212 wrote to memory of 2736 2212 vojo9rhtvxr9te30s60f.exe 34 PID 2212 wrote to memory of 2736 2212 vojo9rhtvxr9te30s60f.exe 34 PID 2212 wrote to memory of 2736 2212 vojo9rhtvxr9te30s60f.exe 34 PID 2212 wrote to memory of 2828 2212 vojo9rhtvxr9te30s60f.exe 35 PID 2212 wrote to memory of 2828 2212 vojo9rhtvxr9te30s60f.exe 35 PID 2212 wrote to memory of 2828 2212 vojo9rhtvxr9te30s60f.exe 35 PID 2212 wrote to memory of 2828 2212 vojo9rhtvxr9te30s60f.exe 35 PID 2828 wrote to memory of 2172 2828 cmd.exe 37 PID 2828 wrote to memory of 2172 2828 cmd.exe 37 PID 2828 wrote to memory of 2172 2828 cmd.exe 37 PID 2828 wrote to memory of 2172 2828 cmd.exe 37 PID 2736 wrote to memory of 2768 2736 gingdevices.exe 38 PID 2736 wrote to memory of 2768 2736 gingdevices.exe 38 PID 2736 wrote to memory of 2768 2736 gingdevices.exe 38 PID 2736 wrote to memory of 2768 2736 gingdevices.exe 38 PID 2768 wrote to memory of 2776 2768 czmisc.exe 39 PID 2768 wrote to memory of 2776 2768 czmisc.exe 39 PID 2768 wrote to memory of 2776 2768 czmisc.exe 39 PID 2768 wrote to memory of 2776 2768 czmisc.exe 39 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 2768 wrote to memory of 1984 2768 czmisc.exe 40 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 PID 1984 wrote to memory of 2288 1984 zxieinstal.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2348 attrib.exe 2172 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\vojo9rhtvxr9te30s60f.exeC:\Users\Admin\AppData\Local\Temp\vojo9rhtvxr9te30s60f.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe"C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"C:\Program Files (x86)\Windows Photo Viewer\gingdevices.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Program Files (x86)\Internet Explorer\zxieinstal.exe"C:\Program Files (x86)\Internet Explorer\zxieinstal.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe"C:\Program Files (x86)\Microsoft Office\Office14\czmisc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2288
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oapqw30x.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\attrib.exeattrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\vojo9rhtvxr9te30s60f.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2172
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oapqw30x.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\attrib.exeattrib -a -r -s -h "C:\Users\Admin\AppData\Local\Temp\07f3f29eeb7728a9f073f42e13cec4ee_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5d6f964e6a62086ac051f5f54a5e518ab
SHA19525276843fac383820906039179b36a8ec0d45d
SHA256522c3cfab44320569e499ce7effb0cb727f6127af5779bfb83ca61609c407054
SHA51223291a2a6508aba3c39c86f2d16583420ad260d061525d13d9221a58059414a16f96e78ea84b5ca424701f14070e9c446c1dd0e33b4ef81346dc043c57ade8e5
-
Filesize
340B
MD50577771ee5abc9565959e6a57bab471a
SHA1a9a8fcb5303fcbeb381ab100c6730d49ff62efef
SHA256e4ea0fd2cf8d0f2c508326296756d9f542108410e53ff16d852a128291b0b57a
SHA512ac376bcbe49909c29d1ab359b68b543a72ddd403e8cba7ca869bcf1653dab4fc696bc818669496824d2f2c4c6a7891e175d012e7e54ad722daa47a78397868b5
-
Filesize
262B
MD5b742f8e94e2a87029c4c150bd7d29660
SHA1923eff235b27f6d777401196cdc0c609b058ad29
SHA256d19fcfcb85e74ff70c23a2774465f98b92344a99f723d143ebe5959c13fd2b80
SHA51207ee36be30dda31b17c294ad5b39f5623122e57abf0478030449222042630e13c5a9560cc1cba6f4bd21e182aee69642ec838af63c1229026a2e49b837b76bf1
-
Filesize
444KB
MD507f3f29eeb7728a9f073f42e13cec4ee
SHA1da7cb0eb9edb5e5506c0ee4c2fe4efbb54e6148b
SHA2569b894e375e381a4db74bdf50059e435add2901193022767717ec8fcd71bbda56
SHA512aa95e0df77854735e7d8395ba5eb5e1e7a3a188a92f87e5da039dd79ad363d2f515380a7ef9eb230ed03ad1dd5558467e3fbd101d8b32b3a99dcfdc530352de6