Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/12/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe
-
Size
260KB
-
MD5
09662c2592b14405b5c16b764060d751
-
SHA1
4c6e859253fbd8093f2200b7bdaebc27f19449d8
-
SHA256
9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122
-
SHA512
73427221b5bd5d2e260bfddd1664e5fa0ec13e781cfaa6e7598e8a453e7b9e39908b0cd409ce551cd744cf9b602edda34293799c38c3122be155bd38ab002ac3
-
SSDEEP
6144:2QXRZhTGxVInBgovdk+pXFE/WWWLNarbRi7:2KDhGxVIBggNp1EYBarbRi
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Tofsee family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\nrtoisw = "0" svchost.exe -
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2524 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nrtoisw\ImagePath = "C:\\Windows\\SysWOW64\\nrtoisw\\cakiiyhx.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 800 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 cakiiyhx.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3044 set thread context of 800 3044 cakiiyhx.exe 43 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2576 sc.exe 2644 sc.exe 2736 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cakiiyhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2688 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 30 PID 2728 wrote to memory of 2688 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 30 PID 2728 wrote to memory of 2688 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 30 PID 2728 wrote to memory of 2688 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 30 PID 2728 wrote to memory of 2600 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 32 PID 2728 wrote to memory of 2600 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 32 PID 2728 wrote to memory of 2600 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 32 PID 2728 wrote to memory of 2600 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 32 PID 2728 wrote to memory of 2736 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 34 PID 2728 wrote to memory of 2736 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 34 PID 2728 wrote to memory of 2736 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 34 PID 2728 wrote to memory of 2736 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 34 PID 2728 wrote to memory of 2576 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 36 PID 2728 wrote to memory of 2576 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 36 PID 2728 wrote to memory of 2576 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 36 PID 2728 wrote to memory of 2576 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 36 PID 2728 wrote to memory of 2644 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 38 PID 2728 wrote to memory of 2644 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 38 PID 2728 wrote to memory of 2644 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 38 PID 2728 wrote to memory of 2644 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 38 PID 2728 wrote to memory of 2524 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 41 PID 2728 wrote to memory of 2524 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 41 PID 2728 wrote to memory of 2524 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 41 PID 2728 wrote to memory of 2524 2728 JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe 41 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43 PID 3044 wrote to memory of 800 3044 cakiiyhx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nrtoisw\2⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cakiiyhx.exe" C:\Windows\SysWOW64\nrtoisw\2⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nrtoisw binPath= "C:\Windows\SysWOW64\nrtoisw\cakiiyhx.exe /d\"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2736
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nrtoisw "wifi internet conection"2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nrtoisw2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2524
-
-
C:\Windows\SysWOW64\nrtoisw\cakiiyhx.exeC:\Windows\SysWOW64\nrtoisw\cakiiyhx.exe /d"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9463797712a33f68379cc2ab3f503a6ddc1b3abcc73d2cae21d9889118948122.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- System Location Discovery: System Language Discovery
PID:800
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.8MB
MD52f5f284e41b09471d7c0c5541d777818
SHA18836d82af098fb94ed50e1769bf8a32502cb35d8
SHA25674e4253ea20eabdb3e8800feddb560499bb0ec255de0544f090d730a58e4be05
SHA51211bc8ab380760e9beb9e19d399375ae4263665c0b4bc56600bfb31f61e8f1d86e3f75398c0cf9081e5dc799c1cf3c5839d57fb2808d84169ed0e37a42cc8d580