Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
31/12/2024, 06:06
General
-
Target
JaffaCakes118_07ec8b6e8c148b2847a910f6b5c63c2d.exe
-
Size
288KB
-
MD5
07ec8b6e8c148b2847a910f6b5c63c2d
-
SHA1
7a2b2e33a88a8fc6b132de6bd833387438279824
-
SHA256
62dc18f7d85f9c5009ea692618f650c51859ec71c2e5116c1a791f076cdac8b6
-
SHA512
d1610d4a7d24302ee938bebb8ac5df0dbe0ecb0ebba0742cef3c97531438f157f26a28b24be40f448aa0da20472cf6981b20c053eca8112902ee372bae35d123
-
SSDEEP
3072:tmJ+bNK6/M9WdT55ojgkSluk3zKNTaaHw7Koj4rtzf9EpvOBdts58n1bdctEPAnE:t1b86k9MVkSENPUvodK8YtEP++UsZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies security service 2 TTPs 8 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07ec8b6e8c148b2847a910f6b5c63c2d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07ec8b6e8c148b2847a910f6b5c63c2d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\ldqtwwgw.exe"C:\Users\Admin\AppData\Local\Temp\ldqtwwgw.exe" elevate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\ldqtwwgw.exe"" admin3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldqtwwgw.exe"C:\Users\Admin\AppData\Local\Temp\ldqtwwgw.exe" admin4⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD507ec8b6e8c148b2847a910f6b5c63c2d
SHA17a2b2e33a88a8fc6b132de6bd833387438279824
SHA25662dc18f7d85f9c5009ea692618f650c51859ec71c2e5116c1a791f076cdac8b6
SHA512d1610d4a7d24302ee938bebb8ac5df0dbe0ecb0ebba0742cef3c97531438f157f26a28b24be40f448aa0da20472cf6981b20c053eca8112902ee372bae35d123
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
52KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB