Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe
-
Size
226KB
-
MD5
12939b3590d5aa3b4d8b50048e1955ca
-
SHA1
2f993fb018435f5365ef558f90ad6357a0bcf5e6
-
SHA256
8309eb9ecbfe0e5dca5070d94649340cf0406baedb940eeb062113f14fe30e58
-
SHA512
0552f17cd25692fa6a5ee4dcecbe2abea8de7e503969d7bbf036b2694bcf950cadcb4d2e10cd6b6156dd4a9acdf18b202cfb8e7e4c4a82998853d50c927dc24b
-
SSDEEP
3072:RAatf04xOIhMDy3EsLVqRwlKYNrsp6mpehe6beTSOJ8os9PHt4RSF:5tfrxOUMD0IMxe6bpOWP6cF
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Deletes itself 1 IoCs
pid Process 2988 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1548 Logo1_.exe 2792 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2988 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe Logo1_.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe File created C:\Windows\virDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe 1548 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2988 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2988 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2988 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2988 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 30 PID 1960 wrote to memory of 1548 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 32 PID 1960 wrote to memory of 1548 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 32 PID 1960 wrote to memory of 1548 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 32 PID 1960 wrote to memory of 1548 1960 12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe 32 PID 1548 wrote to memory of 2120 1548 Logo1_.exe 33 PID 1548 wrote to memory of 2120 1548 Logo1_.exe 33 PID 1548 wrote to memory of 2120 1548 Logo1_.exe 33 PID 1548 wrote to memory of 2120 1548 Logo1_.exe 33 PID 2988 wrote to memory of 2792 2988 cmd.exe 36 PID 2988 wrote to memory of 2792 2988 cmd.exe 36 PID 2988 wrote to memory of 2792 2988 cmd.exe 36 PID 2988 wrote to memory of 2792 2988 cmd.exe 36 PID 2120 wrote to memory of 2168 2120 net.exe 35 PID 2120 wrote to memory of 2168 2120 net.exe 35 PID 2120 wrote to memory of 2168 2120 net.exe 35 PID 2120 wrote to memory of 2168 2120 net.exe 35 PID 1548 wrote to memory of 1128 1548 Logo1_.exe 20 PID 1548 wrote to memory of 1128 1548 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aACD3.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12939b3590d5aa3b4d8b50048e1955ca_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD5a7a02cf1315aabfd3313a12c57735629
SHA1ab3f797070c3340e8400cfeef51c156bda28baae
SHA256a7899964fef439991176d6ccfdc86ee5c8b60e11a5fade1f88209000c0c6f95c
SHA5124c633e18fad5481af31e0fa1c0cfe2adf1c07b8baf916b63ba3bf5e7e378b1e9ad58d62df5393d1c55f75bdcbdfee514fb4a202ffbeb8ca2638e24b9a2dd2c4c
-
Filesize
161KB
MD580da5ee61048975f77fde0b59c44dc37
SHA18e34a677aec9b0b1686cff1dd5ac2d3d6af242da
SHA256bbc0eae226926b29c3e8e1ea629e612726cd358c5984cc45e4bdcd6f49be93bb
SHA5120188c8bdf324ce701d55eac4208d23a63ca40fa9b4d72f0e3c38d6fb92f10e1c5c25fa3798e2f91962e0e7d5147d7e4d3de0103e6960ffaea34e0ec6c0fd2fae
-
Filesize
65KB
MD5eed3b320cc57e0063bf83ad293477a03
SHA145d74dac2b5412f7bcc9e4f2ed729b5c853a7521
SHA2566343d379414c5ac16232a7f9399b7712deb2676bc0c521d358b09270f9949ff3
SHA5125901802a1c6b214ec2c35e2cdc46e3acac4bf3d6c22deca413827e88ccaad0d83984966045741fe8fef800b8394e6fde9921502be8c1429a2984ae0fe12beb57