Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe
-
Size
850KB
-
MD5
36797ec026ef56a9ec2be58f804a11af
-
SHA1
a6e03ddc21b97c6ef50ee69ec95b008fbda67e4d
-
SHA256
ffb4062f3105628be393872c098765b9a7736911cb8fee4ff571b006a891c8a8
-
SHA512
d4a3aad5560b683fc05b4ec48399bf6412e233bcece7396377f0684b206f5818b918c3fd73bf108371b361d1361882a1a7fdcd40fea0104de06f94c43a1764f4
-
SSDEEP
24576:iDZPpbcn+nTZkINpPTE0v1HVp6CHJnhM0:4xtcnc9hfv1HGs+0
Malware Config
Extracted
xloader
2.3
m6b5
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
inverservi.com
Signatures
-
Xloader payload 3 IoCs
resource yara_rule behavioral1/memory/3012-14-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3012-19-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1632-24-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2700 set thread context of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 3012 set thread context of 1192 3012 RegSvcs.exe 21 PID 1632 set thread context of 1192 1632 netsh.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 3012 RegSvcs.exe 3012 RegSvcs.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe 1632 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3012 RegSvcs.exe 3012 RegSvcs.exe 3012 RegSvcs.exe 1632 netsh.exe 1632 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe Token: SeDebugPrivilege 3012 RegSvcs.exe Token: SeDebugPrivilege 1632 netsh.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2280 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 31 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 2700 wrote to memory of 3012 2700 36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe 32 PID 1192 wrote to memory of 1632 1192 Explorer.EXE 57 PID 1192 wrote to memory of 1632 1192 Explorer.EXE 57 PID 1192 wrote to memory of 1632 1192 Explorer.EXE 57 PID 1192 wrote to memory of 1632 1192 Explorer.EXE 57 PID 1632 wrote to memory of 1716 1632 netsh.exe 58 PID 1632 wrote to memory of 1716 1632 netsh.exe 58 PID 1632 wrote to memory of 1716 1632 netsh.exe 58 PID 1632 wrote to memory of 1716 1632 netsh.exe 58
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36797ec026ef56a9ec2be58f804a11af_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2280
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:496
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1264
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1608
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2172
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2220
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2360
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2112
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2064
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2240
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1724
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2248
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2556
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2212
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2148
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1744
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2068
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2408
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3036
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2288
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3024
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2332
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1864
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1924
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1928
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-