Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe
-
Size
167KB
-
MD5
527815185e0a77f67985e4ad34a3aca6
-
SHA1
c67957d87d9291ee58c31d33c939965fc3cfc7ef
-
SHA256
fa7059596ae2d973ceb94c161a1d781dbff61907f48e227bfb47dd4bbcf4c759
-
SHA512
130884d8268359681e16322647c1a363fcadeddf145c922f8f701bc5ceb6024a52a6154fc0051be489e6be3e06e62d97f15a33e4a195cb45f6174c02e1a6de53
-
SSDEEP
3072:+xY9O7jUpFUMMnMMMMMX7I7D6KGKdKTQO15+HCcoZsjh64uFuN0Cjmj36z0Nwaad:fOfUoMMnMMMMMaNGKmxFZw64+6s6z0Hw
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 944 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 hory.exe -
Loads dropped DLL 1 IoCs
pid Process 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D553EB57-3288-6D1C-6BEC-64AE4CE41D8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Holoni\\hory.exe" hory.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2268 set thread context of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hory.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\002773BA-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe 2764 hory.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe Token: SeSecurityPrivilege 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe Token: SeSecurityPrivilege 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe Token: SeManageVolumePrivilege 484 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 484 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 484 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 484 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2764 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2764 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2764 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2764 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 31 PID 2764 wrote to memory of 1072 2764 hory.exe 18 PID 2764 wrote to memory of 1072 2764 hory.exe 18 PID 2764 wrote to memory of 1072 2764 hory.exe 18 PID 2764 wrote to memory of 1072 2764 hory.exe 18 PID 2764 wrote to memory of 1072 2764 hory.exe 18 PID 2764 wrote to memory of 1132 2764 hory.exe 19 PID 2764 wrote to memory of 1132 2764 hory.exe 19 PID 2764 wrote to memory of 1132 2764 hory.exe 19 PID 2764 wrote to memory of 1132 2764 hory.exe 19 PID 2764 wrote to memory of 1132 2764 hory.exe 19 PID 2764 wrote to memory of 1196 2764 hory.exe 21 PID 2764 wrote to memory of 1196 2764 hory.exe 21 PID 2764 wrote to memory of 1196 2764 hory.exe 21 PID 2764 wrote to memory of 1196 2764 hory.exe 21 PID 2764 wrote to memory of 1196 2764 hory.exe 21 PID 2764 wrote to memory of 280 2764 hory.exe 25 PID 2764 wrote to memory of 280 2764 hory.exe 25 PID 2764 wrote to memory of 280 2764 hory.exe 25 PID 2764 wrote to memory of 280 2764 hory.exe 25 PID 2764 wrote to memory of 280 2764 hory.exe 25 PID 2764 wrote to memory of 2268 2764 hory.exe 30 PID 2764 wrote to memory of 2268 2764 hory.exe 30 PID 2764 wrote to memory of 2268 2764 hory.exe 30 PID 2764 wrote to memory of 2268 2764 hory.exe 30 PID 2764 wrote to memory of 2268 2764 hory.exe 30 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2268 wrote to memory of 944 2268 527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe 33 PID 2764 wrote to memory of 2876 2764 hory.exe 35 PID 2764 wrote to memory of 2876 2764 hory.exe 35 PID 2764 wrote to memory of 2876 2764 hory.exe 35 PID 2764 wrote to memory of 2876 2764 hory.exe 35 PID 2764 wrote to memory of 2876 2764 hory.exe 35 PID 2764 wrote to memory of 1188 2764 hory.exe 36 PID 2764 wrote to memory of 1188 2764 hory.exe 36 PID 2764 wrote to memory of 1188 2764 hory.exe 36 PID 2764 wrote to memory of 1188 2764 hory.exe 36 PID 2764 wrote to memory of 1188 2764 hory.exe 36 PID 2764 wrote to memory of 2576 2764 hory.exe 37 PID 2764 wrote to memory of 2576 2764 hory.exe 37 PID 2764 wrote to memory of 2576 2764 hory.exe 37 PID 2764 wrote to memory of 2576 2764 hory.exe 37 PID 2764 wrote to memory of 2576 2764 hory.exe 37 PID 2764 wrote to memory of 1784 2764 hory.exe 38 PID 2764 wrote to memory of 1784 2764 hory.exe 38 PID 2764 wrote to memory of 1784 2764 hory.exe 38 PID 2764 wrote to memory of 1784 2764 hory.exe 38 PID 2764 wrote to memory of 1784 2764 hory.exe 38 PID 2764 wrote to memory of 2104 2764 hory.exe 39 PID 2764 wrote to memory of 2104 2764 hory.exe 39 PID 2764 wrote to memory of 2104 2764 hory.exe 39 PID 2764 wrote to memory of 2104 2764 hory.exe 39 PID 2764 wrote to memory of 2104 2764 hory.exe 39 PID 2764 wrote to memory of 264 2764 hory.exe 40
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1072
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1132
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\527815185e0a77f67985e4ad34a3aca6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Roaming\Holoni\hory.exe"C:\Users\Admin\AppData\Roaming\Holoni\hory.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc3671f1e.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:944
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:280
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:484
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2876
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1188
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1784
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2104
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:264
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1000
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2344
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2472
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2500
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2128
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5832348e5dd44eb7133629cbc881cff61
SHA1bc1231b87994af69f8acb6e1c3c1cdf0c429bf03
SHA256fabc2e33c3f3c31e1f7ab75162af53225236ac3aa3421e217787dbe6ce26fae3
SHA512197c45091d5fb720b971e076d57f2d7541ce0d5dcd2e7eb4ae8290ea6da82ac6dee9b7ce415b7ad287346f3557d13d1fe3b557a0282ee9eb7ae0b5ca0d0f34ac
-
Filesize
2.0MB
MD57dfd3e9fbfdf3892f579dd4bddd976da
SHA150fe3ab4a14f252a85dfe76a05abd2bd92dc6921
SHA25606b3efe47953c2b41a57c79cc0f9a93dfef12bd8ac18e233e6b978ecd45f4e61
SHA51209015c39840148ea538d8fbe95eebed2cae6fcf85b37c809540d2ce4c645b1f34100575930f0cd09e28716a73d67e8933fc65fc6ed3d5d4ecfdcaf7a14505355
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
271B
MD55e0bae81d9c322af4109cf4ff0e5602e
SHA11ccba979513a09aadefd2f18751e7a45bd85ba66
SHA2564ec9ae6b72869da9235d65f81b09827bd093b73cdf6a2b028fe808d8a0cb1696
SHA512068c99509898b15b565e2fb5aae55f8d2f1b71dfd13515c72a0b73d1d0dfbc2a28b250d39d009a8a7ce88878811a3d8b984688869715aff86797be1040c64582
-
Filesize
380B
MD559feb56fd0351742c52d932152c0ad60
SHA11ab58ac6571948eb17cb23d427b61c2c56bf149b
SHA25653714750bba9eb01abdf6f534d892793d68ae1e239dec261850b0960999aa4d3
SHA512542dd1725e39938ee9ae5fe43ac6e331f082ed450cd4834d2aa9626a6abc94e6a5434e881ad5daf8b6168e27de5ee1659b719d160268c47d04a3f8ded3ce0f67
-
Filesize
167KB
MD53fa24363faf122710cef4c767b87ae2f
SHA182f7b9d4af105719b90e0a07081f5f1631d2facd
SHA256d0cad2a4810291ee73721a3dc087805b0719f902fcad0a45ce42b682f5ffa8ca
SHA5121088a0db8197f8987be7ec394f96bdbd49dfab9a4e02741f2944a148b98cca1d2ab94a884ac04c509fa582192c6e2f8a3f1d79463df431218dd9fd4d970c457f