Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe
-
Size
380KB
-
MD5
0bb2c9fa052921012d29d95ec794a6dd
-
SHA1
f72b8b078a281c438477ff007cbc134164cfc21e
-
SHA256
6441154a13cbdd4e555c45bfc01562bb659d59c116d31bdebbcad9c14f97b341
-
SHA512
8d7ded6fb81b7eea87c489c2686d95f2b83989f7b2848aad75de774af3f5ab2a1887343551a87ef1eae956e0d8ee029e7e67ce3a382315ca6b54c8b6e1eb3f07
-
SSDEEP
6144:kXsB7rtp/nWdoxpRThhSRiY4xBPKQwbFAE805RXUELjJoxGq6IEm02bvGDU:kXsNtp/EoxpRFoqBProSE8qFYGq6I0YB
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 712 test.exe 1660 test.exe -
Loads dropped DLL 2 IoCs
pid Process 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe 712 test.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 712 set thread context of 1660 712 test.exe 31 PID 712 set thread context of 0 712 test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: 33 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: 33 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: 33 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: 33 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe Token: 33 712 test.exe Token: SeIncBasePriorityPrivilege 712 test.exe Token: 33 712 test.exe Token: SeIncBasePriorityPrivilege 712 test.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 712 test.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1812 wrote to memory of 712 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe 30 PID 1812 wrote to memory of 712 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe 30 PID 1812 wrote to memory of 712 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe 30 PID 1812 wrote to memory of 712 1812 0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe 30 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 1660 712 test.exe 31 PID 712 wrote to memory of 0 712 test.exe PID 712 wrote to memory of 0 712 test.exe PID 712 wrote to memory of 0 712 test.exe PID 712 wrote to memory of 0 712 test.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0bb2c9fa052921012d29d95ec794a6dd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\Project1\1.00\2011.07.06T11.46\Virtual\STUBEXE\@APPDATALOCAL@\Temp\test.exe
Filesize17KB
MD590a691546ff7e6dadffaf547563bf21c
SHA1514f11de40096db6715f8efa63daa288f1f1f4fb
SHA2564d86b32cb8666936217e0abf220788c7a2cfc80b795a1edd3b5311d446080dbf
SHA512319257461794c5705c6f4423bf8f452f7b98bd0834a208e54929209b0af375ac62dbda33f34d2427ebe14fdc5eaaf8733032814a47c010c10d829421862b6bba