Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 03:06 UTC
Behavioral task
behavioral1
Sample
JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
-
Size
1.2MB
-
MD5
d2c9a102f0f3c263e92c47fa9179a0b8
-
SHA1
95071cb6fcaebd7899312be694df9e961f075b2b
-
SHA256
8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997
-
SHA512
bbe849b5e8e20e823676ea6ca94edeffa151bb3a55ad0c39b1061801480212588f266c4f726e98f2d3fea00c7deab5899256c403d57a70ff04af8cfc2e7f0b26
-
SSDEEP
24576:wB0NWp6nr52LyDXRfJ5dwEztbXCmAUscM7P8g6A7Vpg83atTUHnlr:wBSDnV3XRfJ/emAUscMoCVuw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 7 IoCs
resource yara_rule behavioral1/memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp family_blackmoon behavioral1/memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp family_blackmoon behavioral1/files/0x000e000000012267-15.dat family_blackmoon behavioral1/memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp family_blackmoon behavioral1/memory/2648-29-0x0000000010000000-0x0000000010100000-memory.dmp family_blackmoon behavioral1/memory/2648-30-0x0000000010000000-0x0000000010100000-memory.dmp family_blackmoon behavioral1/memory/2648-33-0x0000000010000000-0x0000000010100000-memory.dmp family_blackmoon -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp" JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe -
Deletes itself 1 IoCs
pid Process 2068 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2648 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Delete00.bat JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2188 set thread context of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x00000000005CA000-memory.dmp upx behavioral1/memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/2188-14-0x0000000000400000-0x00000000005CA000-memory.dmp upx behavioral1/memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1560-5-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1560-8-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp upx behavioral1/memory/2648-28-0x00000000001D0000-0x00000000001DB000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1708 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2488 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2488 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe Token: SeDebugPrivilege 2648 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 2188 wrote to memory of 1560 2188 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 30 PID 1560 wrote to memory of 1708 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 31 PID 1560 wrote to memory of 1708 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 31 PID 1560 wrote to memory of 1708 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 31 PID 1560 wrote to memory of 1708 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 31 PID 1560 wrote to memory of 2068 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 34 PID 1560 wrote to memory of 2068 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 34 PID 1560 wrote to memory of 2068 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 34 PID 1560 wrote to memory of 2068 1560 JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe 34 PID 2068 wrote to memory of 2488 2068 cmd.exe 36 PID 2068 wrote to memory of 2488 2068 cmd.exe 36 PID 2068 wrote to memory of 2488 2068 cmd.exe 36 PID 2068 wrote to memory of 2488 2068 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\sc.exesc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/10003⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\System32\\Delete00.bat3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2488
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
Network
-
Remote address:8.8.8.8:53Requestr.nxxxn.gaIN AResponse
-
Remote address:8.8.8.8:53Requestfuck88.f3322.netIN AResponse
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179B
MD5e9bb28131aab66d39d574d4b5c51ffce
SHA1ccdbaabdebdf23c369d89844d9046c4b84f51e00
SHA2564321a4029e015e57b640641ac6a33b7c684f7ecdbce479ac1daec94ff8d76286
SHA51208ef0d1c2beffcba68aff22d44084382867c9f4911d2f5876f82ebcef92298d0e7e88ad93c755f7949a717a56de968dde5b68fe5232f3063b33296890d764c49
-
Filesize
936KB
MD52148ed98f723563683990f569d23bf43
SHA125cfad1a06933f65f7d110a81d7adbfa83c19005
SHA256b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a
SHA5128ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa