Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
01/10/2024, 00:42
General
-
Target
03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe
-
Size
207KB
-
MD5
03cae9ca903d0d948fd144ba9315a1a8
-
SHA1
c3929908918990100f1930c36509b37219aa1b85
-
SHA256
7b0deff51daba0c2967e71799ad43f2b7a53c36703051eb8e95bbe06df85c450
-
SHA512
385691a678941ad3bd116cb80d79c7daf55c36a097ed019392fceb2e884de7178d1a1eb2e5631b45fb5d3689c3a8056914541eed810d211c69780cb46d02e424
-
SSDEEP
3072:iNu9h3eiLZT2UTOyU2qTq/yecrqyEIlyny4iio1t1oBM9/AC99kLNh11GJ+UEtEj:lh3eeTXFUnq/yesLEoynn7BMJSXtt34
Malware Config
Signatures
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 20 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 22 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 33 IoCs
-
Runs .reg file with regedit 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 480 "C:\Users\Admin\AppData\Local\Temp\03cae9ca903d0d948fd144ba9315a1a8_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 552 "C:\Windows\SysWOW64\Tilecomgm.com"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 560 "C:\Windows\SysWOW64\Tilecomgm.com"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 564 "C:\Windows\SysWOW64\Tilecomgm.com"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 568 "C:\Windows\SysWOW64\Tilecomgm.com"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 572 "C:\Windows\SysWOW64\Tilecomgm.com"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 576 "C:\Windows\SysWOW64\Tilecomgm.com"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 580 "C:\Windows\SysWOW64\Tilecomgm.com"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 584 "C:\Windows\SysWOW64\Tilecomgm.com"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Tilecomgm.comC:\Windows\system32\Tilecomgm.com 588 "C:\Windows\SysWOW64\Tilecomgm.com"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd /c c:\AcD.bat12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
942B
MD54cee92ad10b11dbf325a40c64ff7d745
SHA1b395313d0e979fede2261f8cc558fcebfefcae33
SHA256eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA5123f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9
-
Filesize
360B
MD53a1a83c2ffad464e87a2f9a502b7b9f1
SHA14ffa65ecdd0455499c8cd6d05947605340cbf426
SHA25673ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6
SHA5128232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2
-
Filesize
476B
MD5a5d4cddfecf34e5391a7a3df62312327
SHA104a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA2568961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA51248024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643
-
Filesize
701B
MD5e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA5126bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd
-
Filesize
207KB
MD503cae9ca903d0d948fd144ba9315a1a8
SHA1c3929908918990100f1930c36509b37219aa1b85
SHA2567b0deff51daba0c2967e71799ad43f2b7a53c36703051eb8e95bbe06df85c450
SHA512385691a678941ad3bd116cb80d79c7daf55c36a097ed019392fceb2e884de7178d1a1eb2e5631b45fb5d3689c3a8056914541eed810d211c69780cb46d02e424
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
192KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
192KB
-
Filesize
752KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
752KB