Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe
-
Size
291KB
-
MD5
d19143b5b307f466773d78beaffdfddd
-
SHA1
3a0c0f85cac9a9c190d1b634e4a8d1b9ce139c62
-
SHA256
9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942
-
SHA512
1767680e382d3879beda7361f844e75401714f33ede60c40a23715b53174f325307b0d7ed6228af25c4fa7ee15080f2e75cac40d08bb9bc17a05ad5ab1ab9f41
-
SSDEEP
6144:bLAYn+dp6In11uvJXgWxvRma9zxWQYeTGDMwfzh:bMWRI10vJQ+vRma9zxWQEdfzh
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Signatures
-
Tofsee family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kzzhxbn = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2948 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kzzhxbn\ImagePath = "C:\\Windows\\SysWOW64\\kzzhxbn\\hepusczw.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2592 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 hepusczw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2428 set thread context of 2592 2428 hepusczw.exe 44 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2864 sc.exe 2244 sc.exe 2780 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hepusczw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 876 wrote to memory of 1988 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 31 PID 876 wrote to memory of 1988 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 31 PID 876 wrote to memory of 1988 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 31 PID 876 wrote to memory of 1988 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 31 PID 876 wrote to memory of 2920 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 33 PID 876 wrote to memory of 2920 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 33 PID 876 wrote to memory of 2920 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 33 PID 876 wrote to memory of 2920 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 33 PID 876 wrote to memory of 2864 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 35 PID 876 wrote to memory of 2864 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 35 PID 876 wrote to memory of 2864 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 35 PID 876 wrote to memory of 2864 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 35 PID 876 wrote to memory of 2244 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 37 PID 876 wrote to memory of 2244 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 37 PID 876 wrote to memory of 2244 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 37 PID 876 wrote to memory of 2244 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 37 PID 876 wrote to memory of 2780 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 39 PID 876 wrote to memory of 2780 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 39 PID 876 wrote to memory of 2780 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 39 PID 876 wrote to memory of 2780 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 39 PID 876 wrote to memory of 2948 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 42 PID 876 wrote to memory of 2948 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 42 PID 876 wrote to memory of 2948 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 42 PID 876 wrote to memory of 2948 876 JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe 42 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44 PID 2428 wrote to memory of 2592 2428 hepusczw.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kzzhxbn\2⤵
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hepusczw.exe" C:\Windows\SysWOW64\kzzhxbn\2⤵
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kzzhxbn binPath= "C:\Windows\SysWOW64\kzzhxbn\hepusczw.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2864
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kzzhxbn "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kzzhxbn2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Windows\SysWOW64\kzzhxbn\hepusczw.exeC:\Windows\SysWOW64\kzzhxbn\hepusczw.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9b847b83bb51c8cf825e4b2fc385dab4e0e2c518029a1cedd8575f5f581bc942.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.5MB
MD5f0ca1d4b65dd3a4e36ef4eeedf79c5a2
SHA16ac51c53bff99336ef84ef3642963ade9746f49b
SHA256805048cd84e179a0ecb53c40c91df34a43212e717c11bb061270d888364c9e31
SHA512d6ac08e931483a46ea06879f189a66e461d02befc369703db3451c7b8188f1d2358c42d9ed3c2a8d857dfedb8ea5bf1961f36b1352b7736146de3b307b844e7b