Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 17:37
Behavioral task
behavioral1
Sample
58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe
-
Size
501KB
-
MD5
58b2eccf155b0803ee298040fc71e99b
-
SHA1
cc2e0846fc333ba3b0f1ae59a48db7b46b58f568
-
SHA256
8f3cda27b0be3d97f13087516187fc0f0c629804f629f048da096a182d3b1751
-
SHA512
c81a389461f4875aed91608d072ffbb4a6c0a48984e392799cca88a411a520fc48611b6d823fb3705e59c785e7ed718b36a1928d78eb840935e5966feb0feaf1
-
SSDEEP
12288:69f5EvvxWEVj1Nsw+seJF3upKzp93OOak4wcrsPg4qFk:6nExWujHsw+seJF3upOphOfVrII4t
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\server.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Loads dropped DLL 4 IoCs
pid Process 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 216 set thread context of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4336 reg.exe 3136 reg.exe 1916 reg.exe 1828 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2452 vbc.exe Token: SeCreateTokenPrivilege 2452 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2452 vbc.exe Token: SeLockMemoryPrivilege 2452 vbc.exe Token: SeIncreaseQuotaPrivilege 2452 vbc.exe Token: SeMachineAccountPrivilege 2452 vbc.exe Token: SeTcbPrivilege 2452 vbc.exe Token: SeSecurityPrivilege 2452 vbc.exe Token: SeTakeOwnershipPrivilege 2452 vbc.exe Token: SeLoadDriverPrivilege 2452 vbc.exe Token: SeSystemProfilePrivilege 2452 vbc.exe Token: SeSystemtimePrivilege 2452 vbc.exe Token: SeProfSingleProcessPrivilege 2452 vbc.exe Token: SeIncBasePriorityPrivilege 2452 vbc.exe Token: SeCreatePagefilePrivilege 2452 vbc.exe Token: SeCreatePermanentPrivilege 2452 vbc.exe Token: SeBackupPrivilege 2452 vbc.exe Token: SeRestorePrivilege 2452 vbc.exe Token: SeShutdownPrivilege 2452 vbc.exe Token: SeDebugPrivilege 2452 vbc.exe Token: SeAuditPrivilege 2452 vbc.exe Token: SeSystemEnvironmentPrivilege 2452 vbc.exe Token: SeChangeNotifyPrivilege 2452 vbc.exe Token: SeRemoteShutdownPrivilege 2452 vbc.exe Token: SeUndockPrivilege 2452 vbc.exe Token: SeSyncAgentPrivilege 2452 vbc.exe Token: SeEnableDelegationPrivilege 2452 vbc.exe Token: SeManageVolumePrivilege 2452 vbc.exe Token: SeImpersonatePrivilege 2452 vbc.exe Token: SeCreateGlobalPrivilege 2452 vbc.exe Token: 31 2452 vbc.exe Token: 32 2452 vbc.exe Token: 33 2452 vbc.exe Token: 34 2452 vbc.exe Token: 35 2452 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2452 vbc.exe 2452 vbc.exe 2452 vbc.exe 2452 vbc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 2452 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 89 PID 216 wrote to memory of 3656 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 90 PID 216 wrote to memory of 3656 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 90 PID 216 wrote to memory of 3656 216 58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe 90 PID 2452 wrote to memory of 436 2452 vbc.exe 92 PID 2452 wrote to memory of 436 2452 vbc.exe 92 PID 2452 wrote to memory of 436 2452 vbc.exe 92 PID 2452 wrote to memory of 4620 2452 vbc.exe 93 PID 2452 wrote to memory of 4620 2452 vbc.exe 93 PID 2452 wrote to memory of 4620 2452 vbc.exe 93 PID 2452 wrote to memory of 116 2452 vbc.exe 94 PID 2452 wrote to memory of 116 2452 vbc.exe 94 PID 2452 wrote to memory of 116 2452 vbc.exe 94 PID 2452 wrote to memory of 1680 2452 vbc.exe 95 PID 2452 wrote to memory of 1680 2452 vbc.exe 95 PID 2452 wrote to memory of 1680 2452 vbc.exe 95 PID 4620 wrote to memory of 4336 4620 cmd.exe 100 PID 4620 wrote to memory of 4336 4620 cmd.exe 100 PID 4620 wrote to memory of 4336 4620 cmd.exe 100 PID 436 wrote to memory of 3136 436 cmd.exe 101 PID 436 wrote to memory of 3136 436 cmd.exe 101 PID 436 wrote to memory of 3136 436 cmd.exe 101 PID 116 wrote to memory of 1916 116 cmd.exe 102 PID 116 wrote to memory of 1916 116 cmd.exe 102 PID 116 wrote to memory of 1916 116 cmd.exe 102 PID 1680 wrote to memory of 1828 1680 cmd.exe 103 PID 1680 wrote to memory of 1828 1680 cmd.exe 103 PID 1680 wrote to memory of 1828 1680 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\58b2eccf155b0803ee298040fc71e99b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\server.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1828
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DEL.BAT2⤵
- System Location Discovery: System Language Discovery
PID:3656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5533cc8ec927f6d014a8fb880c25c16a9
SHA10e32857bb7a8da6be1741dd4b126db189041422c
SHA2566fa5ae312bffb0bc4a0f4a2bea3a7c5d0405d2cfeef02966f5b5e6fc49247c07
SHA51212d1ab6b3c7d2d27b6ca013b73bad3afaebfa49c049d58a8ebf8f235402b3af873eae10ecc659858ec594294c20a96ca1d198a2072728e32eb76b33ac9c8257d
-
Filesize
43B
MD50eb1ce469214ebc99409fa2c14eb1a4f
SHA1a502e9f691f253ddaac1dd129aad2397b5d536b1
SHA2566ea933732db88fec7e7c692f6d7b4017a88b511a43da98225260649c37da3a6f
SHA512ebf7b4b463e38a6f5bf27f5e6cfda9f50e59d38fbb54dd910301d4f7f9b7a28038e51b24985f6357d0707ba521606f9487aabee4a6825e4d56b30900679686e5