Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
-
Size
351KB
-
MD5
03ba0d5523356aa0fd71fa7968f379b8
-
SHA1
da21a08cfdad488dd5efe50fc5d6968f177cb1ff
-
SHA256
60d944fc9d35d169fd198227eb7e9798433f4fbdd0fd6fe1a5ab19d5aa5951c7
-
SHA512
0b88231bb2b51008ceed877234bf299ef9d9e44544eb96650ea729e62311a7250751dbb5af62d99e149bd8edd305aef0d64fef0e108c068400129fe2cca514d2
-
SSDEEP
6144:78lhUbjntPDo/OQlpKz8O6KEO+MTKbJ4RQjjJxEI0Xh7PblyzY:Awt7oPaz8Vtxy4jFQ7jlys
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 uhba.exe -
Loads dropped DLL 1 IoCs
pid Process 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{ED60B7C8-3C80-AD4F-2955-D827011AFB3A} = "C:\\Users\\Admin\\AppData\\Roaming\\Utfuej\\uhba.exe" uhba.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uhba.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe 2764 uhba.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 2764 uhba.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2764 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 29 PID 2000 wrote to memory of 2764 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 29 PID 2000 wrote to memory of 2764 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 29 PID 2000 wrote to memory of 2764 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 29 PID 2764 wrote to memory of 1128 2764 uhba.exe 18 PID 2764 wrote to memory of 1128 2764 uhba.exe 18 PID 2764 wrote to memory of 1128 2764 uhba.exe 18 PID 2764 wrote to memory of 1128 2764 uhba.exe 18 PID 2764 wrote to memory of 1128 2764 uhba.exe 18 PID 2764 wrote to memory of 1172 2764 uhba.exe 19 PID 2764 wrote to memory of 1172 2764 uhba.exe 19 PID 2764 wrote to memory of 1172 2764 uhba.exe 19 PID 2764 wrote to memory of 1172 2764 uhba.exe 19 PID 2764 wrote to memory of 1172 2764 uhba.exe 19 PID 2764 wrote to memory of 1200 2764 uhba.exe 20 PID 2764 wrote to memory of 1200 2764 uhba.exe 20 PID 2764 wrote to memory of 1200 2764 uhba.exe 20 PID 2764 wrote to memory of 1200 2764 uhba.exe 20 PID 2764 wrote to memory of 1200 2764 uhba.exe 20 PID 2764 wrote to memory of 1628 2764 uhba.exe 22 PID 2764 wrote to memory of 1628 2764 uhba.exe 22 PID 2764 wrote to memory of 1628 2764 uhba.exe 22 PID 2764 wrote to memory of 1628 2764 uhba.exe 22 PID 2764 wrote to memory of 1628 2764 uhba.exe 22 PID 2764 wrote to memory of 2000 2764 uhba.exe 28 PID 2764 wrote to memory of 2000 2764 uhba.exe 28 PID 2764 wrote to memory of 2000 2764 uhba.exe 28 PID 2764 wrote to memory of 2000 2764 uhba.exe 28 PID 2764 wrote to memory of 2000 2764 uhba.exe 28 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30 PID 2000 wrote to memory of 2616 2000 03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe 30
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\Utfuej\uhba.exe"C:\Users\Admin\AppData\Roaming\Utfuej\uhba.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc51bd73f.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5eb9b6dd7c45bb29f97c908b99a93c3df
SHA1f72ba1a96ffae7afaba59c9f6ef8d936d30def4a
SHA2561e6c59879955bcaa16779b04a8620d8ba19df51fb780b193eb8aa1b8f0177526
SHA512fdcb082bf842a96d51bf734c0506229d4dcb5a8575f6802ef57f52cc3e1146aa87d966b5a5b42a2eecaa77e9ba5bb0391fde778d73708f37cefedb63d5a05149
-
Filesize
351KB
MD507e0b593bca36b05219b2dc0a0cfc075
SHA10fa25d969bf0e0a203bb3726a753bd446d420114
SHA25671061baf1643258a99328d1c4570fdd51075ebb0cd46c214f2463c8321ee7834
SHA51257b6d6f9b4d8579a3ccfcaef6de2df7d41c9dfe127a143b525a7c2114dff0cfdbb620c55e9e5647f60f4aa8766ac3efb34ba6bb7543bcab8447fd9167661483b