Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
-
Size
368KB
-
MD5
30252ad68194a240a0687b15c12f69c7
-
SHA1
8e8ecd4c929d87605eee5f3fa178024bb30d13da
-
SHA256
dd93f62a5686560cd10e1fd8fda31fd839352ab73831637591eb73be8cf57884
-
SHA512
8d3923926a830e084c1671ba69a63f4becc271506f68571548e21405f85a90acc642f6785033c9f80b39b5ea72df6556d03aad85e33aabef6c49130f690e0e3e
-
SSDEEP
6144:/NEBnVTn7nd1jZqLoP12yR1/vhSUXl9uBj486mHhsf2+XVDHNsdeU0JikNfsGTBO:/Inln3ZmqH5Fvg48Bsf2EHNsd10JisRw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1888 QQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1888 set thread context of 1600 1888 QQ.exe 31 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\QQ.exe 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe File opened for modification C:\Windows\QQ.exe 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000010775bd4191bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000010775bd4191bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000010775bd4191bdb01 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b01559d4191bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b01559d4191bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000010775bd4191bdb01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000010775bd4191bdb01 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1600 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1888 wrote to memory of 1600 1888 QQ.exe 31 PID 1888 wrote to memory of 1600 1888 QQ.exe 31 PID 1888 wrote to memory of 1600 1888 QQ.exe 31 PID 1888 wrote to memory of 1600 1888 QQ.exe 31 PID 1888 wrote to memory of 1600 1888 QQ.exe 31 PID 1888 wrote to memory of 1600 1888 QQ.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3056
-
C:\Windows\QQ.exeC:\Windows\QQ.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 647972⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
PID:1600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD530252ad68194a240a0687b15c12f69c7
SHA18e8ecd4c929d87605eee5f3fa178024bb30d13da
SHA256dd93f62a5686560cd10e1fd8fda31fd839352ab73831637591eb73be8cf57884
SHA5128d3923926a830e084c1671ba69a63f4becc271506f68571548e21405f85a90acc642f6785033c9f80b39b5ea72df6556d03aad85e33aabef6c49130f690e0e3e