Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4b32fb4d21ff7225187b42d4c9722dce
-
SHA1
331e10b03dc5cf994d3985aea2570f08e2707560
-
SHA256
5131b99eca49a0694073f43f58543781fd6adecc63a0cd643a50686b4d3e001a
-
SHA512
d4031c8069d11d78007f215471a982d12ab6059b973477961943dc33d2bf3d0547c95776ebc4b514130964ea9c5e77d2e1b855515c0dea7edf3498e501e2531d
-
SSDEEP
12288:2Gy2V8gP2iNdmth0+QHU6fm5LJHdkhjn+IZjxwRyCVWHz3T/J4GLIh+wT4P:b1yh0+CcFdyjSkCVm/Jql0
Malware Config
Extracted
xloader
2.3
w56m
damai.zone
mywishbookweb.cloud
sandilakeclothing.bid
joysell.net
hackedwhores.com
sjdibang.com
memaquiahiga.com
bleeckerbobs.net
emmettthomas.com
thesheetz.com
mimik33.info
prettyprettybartending.com
3173596.com
shwangjia.com
sightuiop.com
tinnitusnow.online
mahadevexporters.com
cleaninglanarkshire.com
ibiaozhi.net
upinfame.com
indofee.com
faustoromano.net
piikpook.com
255135.com
caucasianwhisperer.com
performanceanimalservices.com
jodyscalendar.com
vantecmarketing.com
berrydemeyfansite.com
fishingkerry.com
weeklyupdate.club
partofsum.com
dallasdental.net
zgsdjzw.com
attic.team
mariolupica.com
belladermaserum.com
blackdiamondhardware.com
tidbitsmart.com
chinaccc.net
dfwhomesbysabrina.com
allameh.club
nanos-ai.net
whimsybeardesigns.com
apple-selfstorage.com
elegantemusique.com
prettyisaministry.com
motivasyonakademi.com
edeblue.com
kaimold.com
biggestbargain.com
equalizetheeconomy.net
landingpage-institut.com
travelingsportsdoc.com
viagradrd.com
bloombottle.com
hardwareconcept.com
vaishali.info
856379713.xyz
qidae.com
healthtexasmedicare.com
theindependentnurse.com
wpkot.com
v1686.com
recareerrecruiter.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/2560-17-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2560-21-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2560-25-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2664-31-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3052 set thread context of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 2560 set thread context of 1204 2560 RegSvcs.exe 21 PID 2560 set thread context of 1204 2560 RegSvcs.exe 21 PID 2664 set thread context of 1204 2664 cmstp.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmstp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2780 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 2560 RegSvcs.exe 2560 RegSvcs.exe 2560 RegSvcs.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe 2664 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2560 RegSvcs.exe 2560 RegSvcs.exe 2560 RegSvcs.exe 2560 RegSvcs.exe 2664 cmstp.exe 2664 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe Token: SeDebugPrivilege 2560 RegSvcs.exe Token: SeDebugPrivilege 2664 cmstp.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2780 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2780 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2780 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2780 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2564 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 33 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 3052 wrote to memory of 2560 3052 4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe 34 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2560 wrote to memory of 2664 2560 RegSvcs.exe 35 PID 2664 wrote to memory of 1768 2664 cmstp.exe 36 PID 2664 wrote to memory of 1768 2664 cmstp.exe 36 PID 2664 wrote to memory of 1768 2664 cmstp.exe 36 PID 2664 wrote to memory of 1768 2664 cmstp.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b32fb4d21ff7225187b42d4c9722dce_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RkaONosqCQHta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7BA5.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:1768
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d61992439b88664854fd3192c1a6d053
SHA1eb955410bd9298b31a749ec85603427b5424d224
SHA2564add94e4881825d61c04be7c961de367d0080737d8a07f70b05055b797634cb7
SHA512cc364aea05dce6adb6e0eeb0555175e7cd2e92cb6af743d5b3437754e0c67083f02e3d132d0685ef6d64c99fe0c497c3379c7ab5da43de9284a7bf62cf1c45d8