Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/12/2024, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
xscfbjx.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
xscfbjx.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
-
Size
265KB
-
MD5
a0a1f5ff78c714b094a5fb386e02a7a3
-
SHA1
10fd01e713a5b96d19fd636e646f231bdb059bf1
-
SHA256
187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f
-
SHA512
6db4734f3b1f13f4ad87dd3b604a8c6b37698e7b788604d53fd42a3cf0af9155c96f54ce5d2651ba2f905a385eddf0c57284bda0078bba4ad5f71adde9e05fe2
-
SSDEEP
6144:xNeZBEmUT5ohIP1DT1SDLiXoina7ZnkOnIhB:xN+BI5yWHOiXlKkHB
Malware Config
Extracted
formbook
fkku
ItLUfbYmkw6ODl8lnvwkR/8=
oUKMUSjydqzVWxG/CqjK3ngAhQ==
HB9lfRtFwT/XlJ9Lxw==
hBYXuorq7a3WwPq1NSezCMStlQ==
ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=
9vb76Nc8JzKlj4YEQyPAx2dx86U=
fB9041xJgwl1
ND8juoNyH6x5XqlZ2Q==
QEaot04y8XLjFOBp1Cg=
SG6vmdmmpmFmDosczg==
WWCorUT756r1F+aD3cd7Cij6nSFQ
Yl63zVL2NnFph44XcKkiP/k=
s2RfFNOd3fuBEJNZ2ig=
u1p6Ucr2uCketwGD
0vD8lFkSfRCHEJdebbrb
qzlqgxrsrDRmDosczg==
H5aTYXc2rHXjzQ==
S/pFbexYx0S+Ex7SN5rC
9kOIkRTWkA136nA2Ua/R
ojOElJ50E1N40ZNanCbEZw==
M9rnjMSmZiRSZcA=
84iDJl8exTuvKJ9ebbrb
ojKRZBuMgtAXEGtl0Q==
fYjH5/XDCxSLK59f7SG7iphglaRY
jDhH568s83sCTZxeXT3ZcA==
+aX2yx/k453OLrdq+Y3/CeA=
dYKtPYJHN1vSzs86aI3/CeA=
JdDfj861c+9v8DbQRzc=
+YTsEh3zpP04sWsVKB87P6p/sJFKaw==
9Y6NKXk1J4TGqdw=
HENKJqo5afVt
0mJvDeJIOT12i24nwA==
r+RRbqgBgPtw
jp/W8PnXi9/Wk14pxA==
Js4O3DcODcr98D8ZTSvZ5FdNmhCyQoI=
ZPw/M2tGV5BMWlvfJyI=
wFGm1VFHB1xmDosczg==
7h4tyxWW06b/0aobVY3/CeA=
xcgqA0wwV3kCQ4pNd0DVdA==
k9jsiD3AvtE0Ci1eXT3ZcA==
IjGAlC8dTnTwwwHH3acsRVfm0e6EasRsiA==
7fc+SNO3873Kig91mGIBoADAlA==
gJzuvRVmJSxP3Xn8N21/ECb6nSFQ
rMcgQ8eANbxDpWImqfWjAL6hjQ==
n8rVcLcMhA9164ExqwcpyLutoSRaeIBciw==
KTBeLP/AQ4G3XqlZ2Q==
8hgbtW8xq90PjVUbLgxpAL6hjQ==
3nOhrT8o6VzPRdacl3Uwzwur
XXTB3mUo3i1PNHdhk2ZuBSH6nSFQ
awheOZJfU2f05jksZ43/CeA=
V+bzl+OXmmBmDosczg==
A4yhd3vFweVmTUIvPSA=
jRRnlZT27AV9QT1uvw85PbWLsJFKaw==
QF9Z8bKtU+QetwGD
ED1tiUaJjjN6
I8jGXSN/rHXjzQ==
tcjg0tu/BwMqRms1wA==
t2xtIt+r7QmIhJmKxxfQbw==
lRgQruqysfJjsV4hSyXTWnc6ydiJp79w
pjxP5bAs8nm2dwSJ
0PP0u0gTyknCB1fgK3evTmj17KU/YQ==
kzxi/wlC/1CLlKKjIo7G
V2rO9oVG9GzZNMScl3Uwzwur
53TKl/BQzFG3Kp9ebbrb
mariefrank.shop
Signatures
-
Formbook family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation xscfbjx.exe -
Executes dropped EXE 1 IoCs
pid Process 2380 xscfbjx.exe -
Loads dropped DLL 3 IoCs
pid Process 2176 JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe 2380 xscfbjx.exe 2972 xscfbjx.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2380 set thread context of 2972 2380 xscfbjx.exe 31 PID 2972 set thread context of 1220 2972 xscfbjx.exe 21 PID 2972 set thread context of 1220 2972 xscfbjx.exe 21 PID 2600 set thread context of 1220 2600 help.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xscfbjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language help.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2972 xscfbjx.exe 2972 xscfbjx.exe 2972 xscfbjx.exe 2972 xscfbjx.exe 2972 xscfbjx.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe 2600 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2972 xscfbjx.exe 2972 xscfbjx.exe 2972 xscfbjx.exe 2972 xscfbjx.exe 2600 help.exe 2600 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2972 xscfbjx.exe Token: SeDebugPrivilege 2600 help.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2380 2176 JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe 30 PID 2176 wrote to memory of 2380 2176 JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe 30 PID 2176 wrote to memory of 2380 2176 JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe 30 PID 2176 wrote to memory of 2380 2176 JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe 30 PID 2380 wrote to memory of 2972 2380 xscfbjx.exe 31 PID 2380 wrote to memory of 2972 2380 xscfbjx.exe 31 PID 2380 wrote to memory of 2972 2380 xscfbjx.exe 31 PID 2380 wrote to memory of 2972 2380 xscfbjx.exe 31 PID 2380 wrote to memory of 2972 2380 xscfbjx.exe 31 PID 1220 wrote to memory of 2600 1220 Explorer.EXE 32 PID 1220 wrote to memory of 2600 1220 Explorer.EXE 32 PID 1220 wrote to memory of 2600 1220 Explorer.EXE 32 PID 1220 wrote to memory of 2600 1220 Explorer.EXE 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD558661627bbc5a0309c8c80c5886b2c78
SHA174a8ce5fa8a70b5493ede45a71df09bfe05d50b4
SHA2565332de813671b1190f3d39ab8e2a0342823563c9626137015e970e832fa7bc98
SHA512f515c00e50366c39a80b3097b1d197bf3f8cd426c5c6699e70ce3e77471f91ffc93540188afd9d25e088f13a0e4bd07cedf9ead39d79a34942ec785d9a1a4c35
-
Filesize
185KB
MD52045e2fba3e4e549f31ada7008b2af16
SHA1f97571e97a60f39be18af949c0971ccaaa88ef2e
SHA256c6b1b5674d75f753f483c25c44eb2c90e0a348372cf4ebcf5fb2cb57304bc239
SHA512b93ac0f34b23b809ff146cf42cb2b04a761ffaf3b48f3dcd45e1fc93ea5cf2bd46dd69d180e61a2c59742637b6079b32c5790ddfd100c0cb33854542a88251ac
-
Filesize
74KB
MD508b101029a510d1467056305f8bda101
SHA1938d534e3584b132ece92f01e0089304b9587803
SHA2563d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0
SHA512631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd