Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 07:38
Static task
static1
Behavioral task
behavioral1
Sample
33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe
-
Size
745KB
-
MD5
33ea695c5aae0047ddbd1144eeba659a
-
SHA1
0d1c55bd6977533133e285f4820c141e33dee792
-
SHA256
13fe4c9b3cf5ae9a331e296d91c684470db23be83e0a981cdfe48d5d08b197bf
-
SHA512
b80e9bba56b136e733845564ad6c7242e5a37239aafb6f1a093708d09b8d8741db247766288435f4bf6606265d913b0636cdbeffa8498ebc6200bdc124440d45
-
SSDEEP
12288:HFUk4olor5jDTi3KT8BmPJeXnomQY4CDWOvngDFHSYi0HK7zGzJym19oSuj+u76F:wzwQJeKYXlYkIyXSuSs9/Zs9cQrumQHk
Malware Config
Extracted
nanocore
1.2.2.0
bohemianbenz.ddns.net:6060
127.0.0.1:6060
4c660600-2810-4cf6-8702-7937ab2e690a
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2021-04-12T20:37:58.074750536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6060
-
default_group
ODINSGATE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4c660600-2810-4cf6-8702-7937ab2e690a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
bohemianbenz.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1388 powershell.exe 684 powershell.exe 1700 powershell.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2884 set thread context of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DSL Manager\dslmgr.exe 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 684 powershell.exe 1700 powershell.exe 1388 powershell.exe 2656 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 2656 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 2656 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2656 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 2656 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2884 wrote to memory of 1388 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 31 PID 2884 wrote to memory of 1388 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 31 PID 2884 wrote to memory of 1388 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 31 PID 2884 wrote to memory of 1388 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 31 PID 2884 wrote to memory of 684 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 33 PID 2884 wrote to memory of 684 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 33 PID 2884 wrote to memory of 684 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 33 PID 2884 wrote to memory of 684 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 33 PID 2884 wrote to memory of 1484 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 35 PID 2884 wrote to memory of 1484 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 35 PID 2884 wrote to memory of 1484 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 35 PID 2884 wrote to memory of 1484 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 35 PID 2884 wrote to memory of 1700 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 37 PID 2884 wrote to memory of 1700 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 37 PID 2884 wrote to memory of 1700 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 37 PID 2884 wrote to memory of 1700 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 37 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39 PID 2884 wrote to memory of 2656 2884 33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\enujwiWPdhq.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\enujwiWPdhq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1564.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1484
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\enujwiWPdhq.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33ea695c5aae0047ddbd1144eeba659a_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD573aef88715520874991e50c9c81ced6a
SHA19e853658a143d280721cfcf3b2681ab5871864f3
SHA2566e86c0f3c7362282eb0848c7a659ce7ad61b7c4ccdcf2be283967fdc331f6824
SHA5121a72751c9273a6ff91f2847d05e36f56a3058d7143f6f59de7cfe7c5091ab831aed406416e3691abb501b798ef8443d053f22d0e042ce82da1eed96bc29f891f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G9F5RO6F6UA4VK33HWI4.temp
Filesize7KB
MD517f91c05cfbcdfc609dc64f0daead299
SHA197dcd0fac205bca7efe40b66f70b76a6acabf8ce
SHA25685ee9acc0be07f53e7695bdd49e0024adca18604354669c68130a3f8dfd21265
SHA5121a4160bf2d6b54e97a1dbc9a2ea6609d01dd0105400bd46a51c1759da92b2124c06b171974e4f54d730aa5aa6b2a6e03555d10374527521512fb047ce72fb988