Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
-
Size
147KB
-
MD5
145496abaebd8c7fa375699c15a22f5d
-
SHA1
285a92079da710f43c1824e30285b631564bdef3
-
SHA256
1e7e4fd69977aa3ea2edb53e26bfc211d0f05f5c64cbd6b42a441d32748b4d0b
-
SHA512
aad36b531939b888f87bc0a7ca5b15fa27c8ebb6331ad0a3854b472cd082ab4cba4a9ea0d9db7d085c9c598244b2c42a1a4e01f29e92e5751db22089420f8a1d
-
SSDEEP
3072:F5F53F795uW3qol65oKqJSNmt2o7duyJH5tAGbIF9mz:Dj5uOlSotSNw3LOG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2960 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 miebcya.exe -
Loads dropped DLL 2 IoCs
pid Process 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{766AE4AA-32BD-D878-856E-B71B0F7E70F4} = "C:\\Users\\Admin\\AppData\\Roaming\\Beeneg\\miebcya.exe" miebcya.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2236 set thread context of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0EA054BD-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe 2272 miebcya.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe Token: SeSecurityPrivilege 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe Token: SeSecurityPrivilege 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe Token: SeManageVolumePrivilege 2964 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2964 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2964 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2964 WinMail.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2272 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 28 PID 2236 wrote to memory of 2272 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 28 PID 2236 wrote to memory of 2272 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 28 PID 2236 wrote to memory of 2272 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 28 PID 2272 wrote to memory of 1084 2272 miebcya.exe 19 PID 2272 wrote to memory of 1084 2272 miebcya.exe 19 PID 2272 wrote to memory of 1084 2272 miebcya.exe 19 PID 2272 wrote to memory of 1084 2272 miebcya.exe 19 PID 2272 wrote to memory of 1084 2272 miebcya.exe 19 PID 2272 wrote to memory of 1172 2272 miebcya.exe 20 PID 2272 wrote to memory of 1172 2272 miebcya.exe 20 PID 2272 wrote to memory of 1172 2272 miebcya.exe 20 PID 2272 wrote to memory of 1172 2272 miebcya.exe 20 PID 2272 wrote to memory of 1172 2272 miebcya.exe 20 PID 2272 wrote to memory of 1200 2272 miebcya.exe 21 PID 2272 wrote to memory of 1200 2272 miebcya.exe 21 PID 2272 wrote to memory of 1200 2272 miebcya.exe 21 PID 2272 wrote to memory of 1200 2272 miebcya.exe 21 PID 2272 wrote to memory of 1200 2272 miebcya.exe 21 PID 2272 wrote to memory of 544 2272 miebcya.exe 23 PID 2272 wrote to memory of 544 2272 miebcya.exe 23 PID 2272 wrote to memory of 544 2272 miebcya.exe 23 PID 2272 wrote to memory of 544 2272 miebcya.exe 23 PID 2272 wrote to memory of 544 2272 miebcya.exe 23 PID 2272 wrote to memory of 2236 2272 miebcya.exe 27 PID 2272 wrote to memory of 2236 2272 miebcya.exe 27 PID 2272 wrote to memory of 2236 2272 miebcya.exe 27 PID 2272 wrote to memory of 2236 2272 miebcya.exe 27 PID 2272 wrote to memory of 2236 2272 miebcya.exe 27 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2236 wrote to memory of 2960 2236 145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe 30 PID 2272 wrote to memory of 1748 2272 miebcya.exe 32 PID 2272 wrote to memory of 1748 2272 miebcya.exe 32 PID 2272 wrote to memory of 1748 2272 miebcya.exe 32 PID 2272 wrote to memory of 1748 2272 miebcya.exe 32 PID 2272 wrote to memory of 1748 2272 miebcya.exe 32 PID 2272 wrote to memory of 2856 2272 miebcya.exe 35 PID 2272 wrote to memory of 2856 2272 miebcya.exe 35 PID 2272 wrote to memory of 2856 2272 miebcya.exe 35 PID 2272 wrote to memory of 2856 2272 miebcya.exe 35 PID 2272 wrote to memory of 2856 2272 miebcya.exe 35
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1084
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Roaming\Beeneg\miebcya.exe"C:\Users\Admin\AppData\Roaming\Beeneg\miebcya.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp79ccc29f.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2960
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:544
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1748
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD53e434cbe70dccb159e1ab2a78051e666
SHA1e10df6d57b435f5f7c5d6e483ce866594c3225e8
SHA256816be4cb7dfd611e22c3d4346b0ce17b954743e609efbf032431ac4d234fb846
SHA512e6e866870acdc88bd8333645368996130629d003381fe7c489bf7ef73d32f89e6ff161e869dfc225242d4c306fd6dcdf66c87f38b6c4fbb454950328c23a215f
-
Filesize
271B
MD57a39959be5333394e7ecdc678d0f180a
SHA110b8e2eadc84aba800970b05400a4dc3084f11b3
SHA2562720c453bff2a05ccee8640a37d84c83672e34b49f04390ad8841c0268426ccc
SHA51279960c84b832d604942496d9481f0f427bef8930671eb54b0ba685787658dfaa8e9851adca14089fdd2ba42b027e834a947b96f9818caa056e835eac00f15da7
-
Filesize
147KB
MD5e3abef3f772e37f127a8c91bc0aecf54
SHA19316cbf0ba65f95251d1e9c533687bdae62d31e1
SHA256a5514047c4e84d0812ebb56e73d497ffee42062bb09ab11a8fdea9d59d4d1e2b
SHA51219f6e4b6e01cd4a9b81e3ea66608545bcc712af7393d9125a2b6891eb7e22d7d21f66d8cde18ca580971f7c78bd34b116fef60d5c6e00446f024064593da7919
-
Filesize
380B
MD5681899fc9d6690a8ad83e0834faf230d
SHA13def4a3ba9769f092faade9b248b5b25724ab3bd
SHA256b5ef7c12fd10a40aa39c8b18d3c55f113cd6fd8a7c5fa70ead475a58f65c094d
SHA512636a850e71de6b0540a9cd8a2dc9648a66db98ec8174f7131be7d0df93b1a14720fe76a9e294124d052f892d4e946f7592b8699bed7ba7ba90c12a5e54eef50c