Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 10:52
Static task
static1
Behavioral task
behavioral1
Sample
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
-
Size
3.8MB
-
MD5
2fd4b0ca4c98b737c59da79e1a59f4d0
-
SHA1
5eff241c9499924963e6e8034e4a86946991ba85
-
SHA256
c54f41b90d6cbfa8a8590423642daad2d9804ec8d8cf03a27e2ef4cd1c8b7fbe
-
SHA512
d210736b5e7ad586154651d252d0c0b871073bdeab683ffa618a39db73d9f58e7de1aa8da67457c2acdfce8d99e361ca3e1dd9309da8319f27c5e576446eae0f
-
SSDEEP
98304:/SjSLLHz89pCdxkeQv+LT7trNfnxpApzenk7O:/SFIG+ZhZpA9hq
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2228 ~DPC5EE.exe 2568 ~DPC65C.exe 2288 winlogon.exe -
Loads dropped DLL 6 IoCs
pid Process 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 2568 ~DPC65C.exe 2568 ~DPC65C.exe 2568 ~DPC65C.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DPC5EE.exe" ~DPC5EE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/files/0x000600000001926b-12.dat upx behavioral1/memory/2568-17-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2568-33-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral1/memory/2568-36-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winlogon.exe ~DPC5EE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~DPC5EE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~DPC65C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\MSKRTLR = e80700000a0000000a000000000000001b00000004000000 winlogon.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2228 ~DPC5EE.exe 2228 ~DPC5EE.exe 2228 ~DPC5EE.exe 2228 ~DPC5EE.exe 2228 ~DPC5EE.exe 2228 ~DPC5EE.exe 2288 winlogon.exe 2288 winlogon.exe 2288 winlogon.exe 2288 winlogon.exe 2288 winlogon.exe 2288 winlogon.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2568 ~DPC65C.exe 2568 ~DPC65C.exe 2568 ~DPC65C.exe 2568 ~DPC65C.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2228 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 30 PID 2456 wrote to memory of 2228 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 30 PID 2456 wrote to memory of 2228 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 30 PID 2456 wrote to memory of 2228 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 30 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2456 wrote to memory of 2568 2456 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 31 PID 2228 wrote to memory of 2288 2228 ~DPC5EE.exe 32 PID 2228 wrote to memory of 2288 2228 ~DPC5EE.exe 32 PID 2228 wrote to memory of 2288 2228 ~DPC5EE.exe 32 PID 2228 wrote to memory of 2288 2228 ~DPC5EE.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\~DPC5EE.exe"C:\Users\Admin\AppData\Local\Temp\~DPC5EE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\winlogon.exeC:\Windows\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2288
-
-
-
C:\Users\Admin\AppData\Local\Temp\~DPC65C.exe"C:\Users\Admin\AppData\Local\Temp\~DPC65C.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD57de4d379ef630e064788ebd8f7a62fca
SHA184e672f7bf9224a0f52518c93226c027a2465b25
SHA256152958ed713f7f7b2bf5e49165425c87a867c8d23c7ca874e5a6e0a629436395
SHA512b60c420d143853b0b1bcc63e235f3c6018b8db77cb2b709fa0faffe7b31640a51c842b9fd797511eb19dde0bbd7b0e91cdda908026ae520be64da6184cb2fbbb
-
Filesize
3.6MB
MD502179af0725062fada76dc9f2f58e629
SHA164c92392e72ffb3740081a96983966e8ef52c84a
SHA25682133b9c92dc054457669d645e380483bb3a12b7d5d36d37b2efe570ff25a41e
SHA5125f70cfa32388f322bee038892a88fa20b2e7d1e0c80cd8300417e8c104ca28408845d4142129b9035e0bc9f26568a450712ef0c3170837c850c6f9ee8dcc18d7