Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 00:15
Static task
static1
Behavioral task
behavioral1
Sample
64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe
-
Size
680KB
-
MD5
64ceec2dcef38331b7f2c149acb471f8
-
SHA1
1feceafc771ad6b9138c9faeb30e4d36c221546a
-
SHA256
9f1d2a6e48f68ff174717c8330208815a1dbfe1eaa0651cf26bb49b87d07b384
-
SHA512
35488366ba764184eb84b7cfdb501140f71e84dd88a59d16ec5d894bf26d6c11d8690c493001d35b609a7724ded132276a3a1b757d2705b308ab48716ca03ed3
-
SSDEEP
6144:Cuqzvs2HD6NtJwjuNXKtnjpDmzm/tBoA8Pa0HgA0oKxkriQu5qKna:6Dozwju1KHDZlBsarxCiQuBa
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts explorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ehonybwq = "\"C:\\Windows\\evypgqom.exe\"" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ipecho.net -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1900 set thread context of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\evypgqom.exe explorer.exe File created C:\Windows\evypgqom.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2884 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2796 vssvc.exe Token: SeRestorePrivilege 2796 vssvc.exe Token: SeAuditPrivilege 2796 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2576 1900 64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe 30 PID 2576 wrote to memory of 2884 2576 explorer.exe 32 PID 2576 wrote to memory of 2884 2576 explorer.exe 32 PID 2576 wrote to memory of 2884 2576 explorer.exe 32 PID 2576 wrote to memory of 2884 2576 explorer.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64ceec2dcef38331b7f2c149acb471f8_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2576 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2884
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD52507b6d48b0ea79589db0f1ae3c5519e
SHA1712f2f6f86afebe3eff5a5429c6084eaf1996c54
SHA256044c15c5615fd998214c5bdf51dc86ea5ba90956b2df7ef66ac0e04e4234d7eb
SHA512f092950308270a532a2d0c7b54b33012af529393f026511d0d5409f9bab8ae2eac1f0a926a801d30cb464fab7344e60f6801fb89ba637d96774e39173a8e2605