Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe
-
Size
270KB
-
MD5
16f3f36cb0306dc02c1067f04648dc63
-
SHA1
2907fa5c28e30a058853482d9c3be0b00b449e00
-
SHA256
59165ce2351115da3f5ec549fe276d12984877dd1b6a5f8fa3997fe8744d6511
-
SHA512
ee4120352e2192525635ecde6d7934cbea65c1be778294e44d2ee4e93e0edd5c6643b21d79845c9e7d00ec562071524501fefcc6524bade3a27193d9aa1c2693
-
SSDEEP
6144:2tjpNGqvoArlO+BeiO2/pWTxq/fnx7GDrRcJIcxyCq0hzft:O1vo8AVq/PERcHxywt
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1724 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1904 boosp.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Tuapj\\boosp.exe" boosp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2324 set thread context of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe 1904 boosp.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 1904 boosp.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1904 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 31 PID 2324 wrote to memory of 1904 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 31 PID 2324 wrote to memory of 1904 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 31 PID 2324 wrote to memory of 1904 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 31 PID 1904 wrote to memory of 1108 1904 boosp.exe 19 PID 1904 wrote to memory of 1108 1904 boosp.exe 19 PID 1904 wrote to memory of 1108 1904 boosp.exe 19 PID 1904 wrote to memory of 1108 1904 boosp.exe 19 PID 1904 wrote to memory of 1108 1904 boosp.exe 19 PID 1904 wrote to memory of 1172 1904 boosp.exe 20 PID 1904 wrote to memory of 1172 1904 boosp.exe 20 PID 1904 wrote to memory of 1172 1904 boosp.exe 20 PID 1904 wrote to memory of 1172 1904 boosp.exe 20 PID 1904 wrote to memory of 1172 1904 boosp.exe 20 PID 1904 wrote to memory of 1228 1904 boosp.exe 21 PID 1904 wrote to memory of 1228 1904 boosp.exe 21 PID 1904 wrote to memory of 1228 1904 boosp.exe 21 PID 1904 wrote to memory of 1228 1904 boosp.exe 21 PID 1904 wrote to memory of 1228 1904 boosp.exe 21 PID 1904 wrote to memory of 1080 1904 boosp.exe 23 PID 1904 wrote to memory of 1080 1904 boosp.exe 23 PID 1904 wrote to memory of 1080 1904 boosp.exe 23 PID 1904 wrote to memory of 1080 1904 boosp.exe 23 PID 1904 wrote to memory of 1080 1904 boosp.exe 23 PID 1904 wrote to memory of 2324 1904 boosp.exe 30 PID 1904 wrote to memory of 2324 1904 boosp.exe 30 PID 1904 wrote to memory of 2324 1904 boosp.exe 30 PID 1904 wrote to memory of 2324 1904 boosp.exe 30 PID 1904 wrote to memory of 2324 1904 boosp.exe 30 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32 PID 2324 wrote to memory of 1724 2324 16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe 32
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16f3f36cb0306dc02c1067f04648dc63_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Roaming\Tuapj\boosp.exe"C:\Users\Admin\AppData\Roaming\Tuapj\boosp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8a922653.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1724
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD55547645ca5062b15b31e28f33c0043fd
SHA128978c77ef3bf4fee314bce9f4331e2097d284e0
SHA256b77f94a40580e569f4328467b29b11e6fe4e480226216926fa99db3f79939f72
SHA51248556800aefd83e62e651008c3211c4fe2a20ab3959c55bdebcde639ed9114ad3b37f4af7d8aab61871385f83fd40891b3f7c96831c2922b974bd46c6c95815a
-
Filesize
270KB
MD5bae8f0eefa07e3c98ed9b03b1c6a6cbe
SHA1ceb944679d7602fee8b64b1dfd9e66bf58c20888
SHA256545f02fce0edd75f2d574eab2815d51fda844ccb6876e56b0fe714abef918c2d
SHA512449aaf1f3819227df038192905766c6945384560cf9ff4a230fe29cd0bebcfa5dd82f4abf3b1c436125fff1a4489110a7e17ad5fd90e8c4fe309a62269c1996b