Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870.ps1
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870.ps1
-
Size
640B
-
MD5
07f4a138267c2c7816c6452e03f35a6d
-
SHA1
99bc5bffa4ab51627af531efb3f129588d442ae1
-
SHA256
7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870
-
SHA512
5c9005c81c39351cfc148ce6d5599caf083b9a6fc10c2ba99e0f3b691cf378f13a9fc61923930c47341e7f3213f6213501e18c6fdc3e1d1f9ba7de49654f970c
Malware Config
Signatures
-
Golang Generic Botnet
A botnet written in golang not attributed to a particular actor.
-
Golang_generic_botnet family
-
Xmrig family
-
OS Credential Dumping: LSASS Memory 1 TTPs
Malicious access to Credentials History.
-
XMRig Miner payload 1 IoCs
resource yara_rule behavioral1/memory/1468-77-0x000000013FC20000-0x0000000141A55000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2756 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2716 attrib.exe -
Executes dropped EXE 6 IoCs
pid Process 1996 service.exe 2420 autoupdate.exe 1468 updater.exe 2292 service.exe 1644 procdump.exe 2580 procdump64.exe -
Loads dropped DLL 10 IoCs
pid Process 2756 powershell.exe 2756 powershell.exe 2756 powershell.exe 2756 powershell.exe 1996 service.exe 1996 service.exe 1996 service.exe 1224 Process not Found 1996 service.exe 1644 procdump.exe -
resource yara_rule behavioral1/files/0x0009000000015cfd-13.dat vmprotect behavioral1/memory/1996-31-0x00000000009E0000-0x0000000001B3F000-memory.dmp vmprotect behavioral1/files/0x0007000000015d70-45.dat vmprotect behavioral1/memory/2420-56-0x0000000000F60000-0x0000000003835000-memory.dmp vmprotect behavioral1/memory/1996-93-0x00000000009E0000-0x0000000001B3F000-memory.dmp vmprotect behavioral1/memory/2292-101-0x0000000000C40000-0x0000000001D9F000-memory.dmp vmprotect -
pid Process 2756 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language procdump.exe -
GoLang User-Agent 4 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1 HTTP User-Agent header 16 Go-http-client/1.1 HTTP User-Agent header 17 Go-http-client/1.1 HTTP User-Agent header 18 Go-http-client/1.1 -
Kills process with taskkill 5 IoCs
pid Process 992 taskkill.exe 2188 taskkill.exe 2220 taskkill.exe 2840 taskkill.exe 2644 taskkill.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 powershell.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 2420 autoupdate.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1996 service.exe 1468 updater.exe 1996 service.exe 1996 service.exe 1996 service.exe 2292 service.exe 1644 procdump.exe 1644 procdump.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2580 procdump64.exe 2292 service.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2840 taskkill.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: SeIncreaseQuotaPrivilege 2928 WMIC.exe Token: SeSecurityPrivilege 2928 WMIC.exe Token: SeTakeOwnershipPrivilege 2928 WMIC.exe Token: SeLoadDriverPrivilege 2928 WMIC.exe Token: SeSystemProfilePrivilege 2928 WMIC.exe Token: SeSystemtimePrivilege 2928 WMIC.exe Token: SeProfSingleProcessPrivilege 2928 WMIC.exe Token: SeIncBasePriorityPrivilege 2928 WMIC.exe Token: SeCreatePagefilePrivilege 2928 WMIC.exe Token: SeBackupPrivilege 2928 WMIC.exe Token: SeRestorePrivilege 2928 WMIC.exe Token: SeShutdownPrivilege 2928 WMIC.exe Token: SeDebugPrivilege 2928 WMIC.exe Token: SeSystemEnvironmentPrivilege 2928 WMIC.exe Token: SeRemoteShutdownPrivilege 2928 WMIC.exe Token: SeUndockPrivilege 2928 WMIC.exe Token: SeManageVolumePrivilege 2928 WMIC.exe Token: 33 2928 WMIC.exe Token: 34 2928 WMIC.exe Token: 35 2928 WMIC.exe Token: SeDebugPrivilege 2644 taskkill.exe Token: SeDebugPrivilege 992 taskkill.exe Token: SeDebugPrivilege 2188 taskkill.exe Token: SeDebugPrivilege 2220 taskkill.exe Token: SeLockMemoryPrivilege 1468 updater.exe Token: SeLockMemoryPrivilege 1468 updater.exe Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2840 2756 powershell.exe 32 PID 2756 wrote to memory of 2840 2756 powershell.exe 32 PID 2756 wrote to memory of 2840 2756 powershell.exe 32 PID 2756 wrote to memory of 2716 2756 powershell.exe 34 PID 2756 wrote to memory of 2716 2756 powershell.exe 34 PID 2756 wrote to memory of 2716 2756 powershell.exe 34 PID 2756 wrote to memory of 1996 2756 powershell.exe 35 PID 2756 wrote to memory of 1996 2756 powershell.exe 35 PID 2756 wrote to memory of 1996 2756 powershell.exe 35 PID 1996 wrote to memory of 1964 1996 service.exe 36 PID 1996 wrote to memory of 1964 1996 service.exe 36 PID 1996 wrote to memory of 1964 1996 service.exe 36 PID 1964 wrote to memory of 2928 1964 cmd.exe 38 PID 1964 wrote to memory of 2928 1964 cmd.exe 38 PID 1964 wrote to memory of 2928 1964 cmd.exe 38 PID 1996 wrote to memory of 2644 1996 service.exe 39 PID 1996 wrote to memory of 2644 1996 service.exe 39 PID 1996 wrote to memory of 2644 1996 service.exe 39 PID 1996 wrote to memory of 992 1996 service.exe 41 PID 1996 wrote to memory of 992 1996 service.exe 41 PID 1996 wrote to memory of 992 1996 service.exe 41 PID 1996 wrote to memory of 2188 1996 service.exe 43 PID 1996 wrote to memory of 2188 1996 service.exe 43 PID 1996 wrote to memory of 2188 1996 service.exe 43 PID 1996 wrote to memory of 2420 1996 service.exe 45 PID 1996 wrote to memory of 2420 1996 service.exe 45 PID 1996 wrote to memory of 2420 1996 service.exe 45 PID 1996 wrote to memory of 2220 1996 service.exe 46 PID 1996 wrote to memory of 2220 1996 service.exe 46 PID 1996 wrote to memory of 2220 1996 service.exe 46 PID 1996 wrote to memory of 1468 1996 service.exe 48 PID 1996 wrote to memory of 1468 1996 service.exe 48 PID 1996 wrote to memory of 1468 1996 service.exe 48 PID 1996 wrote to memory of 2292 1996 service.exe 50 PID 1996 wrote to memory of 2292 1996 service.exe 50 PID 1996 wrote to memory of 2292 1996 service.exe 50 PID 2292 wrote to memory of 1772 2292 service.exe 51 PID 2292 wrote to memory of 1772 2292 service.exe 51 PID 2292 wrote to memory of 1772 2292 service.exe 51 PID 1772 wrote to memory of 2128 1772 cmd.exe 53 PID 1772 wrote to memory of 2128 1772 cmd.exe 53 PID 1772 wrote to memory of 2128 1772 cmd.exe 53 PID 2420 wrote to memory of 1644 2420 autoupdate.exe 54 PID 2420 wrote to memory of 1644 2420 autoupdate.exe 54 PID 2420 wrote to memory of 1644 2420 autoupdate.exe 54 PID 2420 wrote to memory of 1644 2420 autoupdate.exe 54 PID 1644 wrote to memory of 2580 1644 procdump.exe 56 PID 1644 wrote to memory of 2580 1644 procdump.exe 56 PID 1644 wrote to memory of 2580 1644 procdump.exe 56 PID 1644 wrote to memory of 2580 1644 procdump.exe 56 PID 2292 wrote to memory of 2596 2292 service.exe 57 PID 2292 wrote to memory of 2596 2292 service.exe 57 PID 2292 wrote to memory of 2596 2292 service.exe 57 PID 2596 wrote to memory of 2700 2596 cmd.exe 59 PID 2596 wrote to memory of 2700 2596 cmd.exe 59 PID 2596 wrote to memory of 2700 2596 cmd.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2716 attrib.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7209361149706baa9059d776cc8e67104b44d73d4fc17e9836da997c00640870.ps11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im service.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +S +H .git2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\.git\service.exe"C:\Users\Admin\AppData\Local\Temp\.git\service.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\cmd.execmd /c "wmic process get ProcessID,ExecutablePath /format:csv"3⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\Wbem\WMIC.exewmic process get ProcessID,ExecutablePath /format:csv4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im inj.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im runtime.dll3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im autoupdate.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\.git\autoupdate.exeC:\Users\Admin\AppData\Local\Temp\.git/autoupdate.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\.git\procdump.exeC:\Users\Admin\AppData\Local\Temp\.git/procdump.exe -accepteula -ma lsass.exe C:\Users\Admin\AppData\Local\Temp\.git/1.dmp4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\.git\procdump64.exeC:\Users\Admin\AppData\Local\Temp\.git/procdump.exe -accepteula -ma lsass.exe C:\Users\Admin\AppData\Local\Temp\.git/1.dmp5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im updater.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\.git\updater.exeC:\Users\Admin\AppData\Local\Temp\.git/updater.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Users\Admin\AppData\Local\Temp\.git\service.exeC:\Users\Admin\AppData\Local\Temp\.git\service.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\cmd.execmd /c "wmic process get ProcessID,ExecutablePath /format:csv"4⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\System32\Wbem\WMIC.exewmic process get ProcessID,ExecutablePath /format:csv5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\\Windows\system32\cmd.exe /c "schtasks.exe /create /tn winupdate /tr C:\Users\Admin\AppData\Local\Temp\.git\service.exe /sc DAILY /st 02:39 /F"4⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn winupdate /tr C:\Users\Admin\AppData\Local\Temp\.git\service.exe /sc DAILY /st 02:39 /F5⤵
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15B
MD55447995d0b03d4e6ce84c6103f3e9c1a
SHA1955c984f6032dc1654dfdf60a9408d89bc9f5ef7
SHA2560eb876d6880f037026caa7942298b0e6d62cf1a17f3fcd91deea69984e9becc7
SHA51298a2693ed7555aa88b549f093e1ce5d66b993b47cde09fd746666a5d9d02fa836875373b7edcb1c267be2ef908eb6b472a46f777f93c79c00651e3c8f10927ca
-
Filesize
8B
MD50a00adbb498e37d158d48f9dd345ba92
SHA14d57a6abc49cdd77ff18d95cc5fbbfe7c45a0a95
SHA2568eda86b7e7de00ed44b547708a959eee5d30d97c9cdbdabf3d7947ca35ed7f6c
SHA5120f16f5bb1aedab9c27ab78c46a0db032b187203582c22f75a2a62a40433ef19e623c4ef03f826ee4db9bec3eaf12b880972e3a4615ed4cd757171c4e09a79967
-
Filesize
8B
MD58aa5afe73c111a6782400cc822d8db2e
SHA1429f0164f48639c16e9bad5b234ff5ebe0fa467c
SHA25679b90f581ce75bf494a26513a31845b405afe1e93e6b753f9fb2e69df8f843dd
SHA5124d8adbf48633e3ef75895bfd43b5923ea7ac2049770e2d7fd1213df05f9e8a34f153d99d8d5c16f525ab1be4c042d8111ebd0ae1b3c456eee98626dd6b094657
-
Filesize
8B
MD57051e24693839d5b7b4a8f9c66cd0b41
SHA1b05224fe5315ab79023104fe202b48ae8b772237
SHA256f42993b65cf84a27362e2d7721213c02915585904908408798371f2b58e0dcd2
SHA512eac9259bcb3e3e85655da51c1170308430cdd89515cf9f78c887374f73789d345175be9b7d0326f1592ec980de2b6972ef214f304d3e0e1bb05d0d7244d322a2
-
Filesize
32.3MB
MD57c1ed6043086f8a83ba5800fb69bb8ab
SHA1ce648023ade2b00d8dcc76e95d9681779a712980
SHA2561330685c1674d56bb7b4d371d3793c9f5b1ba11ef902c34391cdeaf3897564b8
SHA512876bab57347bba8b0eca7401d3fecbb376a1aa277e9a4c0875db83acc6678c9a595f257babb1fb1d68acc5ab27f512b88ba8f26dfc73aa9d2cb7c4e7f7712943
-
Filesize
467KB
MD5bc314fe72007a259d9dd240e667bf11b
SHA15fa5ac5636a9aa3a76fc817be34235bd568e4911
SHA25640565c3eddddca825a7d33c2047e254a8549ea243dcb0e41acbf6a99a70d61b5
SHA5125c6b107b3805ac1ea18ed658931ee61dbbfe8d215045b786b2c2ecbfb07ddae4d15de24ff43469d920c5ed397cb2dde288e77d6549b248e62fb8cbd55f1b664a
-
Filesize
13.3MB
MD5aacad55a1ea4fabcc73900aa4210e85c
SHA1579a06b7425ace38586df4a2e292bc1da263a9e4
SHA256981b57cd68f45ebc4feb9f5d4395d1222b5628dcb4c1b5d6b4adc3d61efedfb6
SHA5122c6892b8c54191a5829b387c966506ad88d5565d136edb7d0d0842a70fe4e0354b4b672c933257bc0ec34ffa011da613bc332729eb0c5501b2e112b135930285
-
Filesize
246KB
MD5761edcfd13225e3351c3905bd85a5718
SHA18f7e3201b9c485b8670397a390e8465e6861f660
SHA256b085f7357254c9c04571478a216d54f1347418def5c8aa7c72fb3decdf096e36
SHA5122ba10b2881b24bd0ec5ab0f58da68bd53002cf3596a3e34334f8c1e450f65a33246126227bc88ef05136342ce0dc41acd8d0ebd47c66514ecf7c0842f1e14f23
-
Filesize
7.6MB
MD5b87a2e1c3fc2d716b3dd94b462aa52b0
SHA1c67972af2c5aed36f3450e9392d4bd05af1e8924
SHA2567463a86077e9757a5e4598e107829e208846e1c5d5e538c091c880d08949d64d
SHA51294f8a6841d8e6c6760896d1d02daa0610fe5013715fc17da350e1424b9513980b286af2fa2fc3d809b9d6c6d1eff7c608f431accac69017be332bb92b487639b
-
Filesize
8.2MB
MD52b0d39f377e1283cd6ecb1a5f5504990
SHA1a1720953cdcc5dd7f4aaa9815f28d98936188512
SHA256e1a80dfa69b6d673c046d95e0cd8aa1ca30c382828a402626b21cd90f1ee3447
SHA5128044df245c168a712846f1af2f60a584365172f31f21864a50da4c372387e18dd6aac0708252d2e4999401f69e5a8fd6d68925c67b84510159fa0207e8bcb620