Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe
Resource
win7-20240708-en
General
-
Target
JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe
-
Size
457KB
-
MD5
54ef2f2acdf62dfb40fc32aab1f46307
-
SHA1
3f3640685b7af5b52a13d49cfd1cf5364114e317
-
SHA256
f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d
-
SHA512
3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03
-
SSDEEP
6144:MqTi59VJdaD70ylbBTpVg8DPmgQhSdj/4KngWIq6jRk+j:MGin670yTTpVg8CgcSKKngWIjX
Malware Config
Extracted
formbook
3.9
h37
misfitsbarandgrill.com
pijpsletjes.com
practiman.com
trailersgeek.online
greathappiness.faith
solderisland.com
kk5299.com
nani21.com
sharpactinvest.com
meteocockpit.com
provisionswpgroup.com
theplaze.net
westaustralian.ninja
freetrafficupgradingall.win
paraisocalafate.com
nelps.com
buywatch.win
sgfmim.site
mexicotradicional.com
moving411.biz
mcavoy.tech
legcity.com
maoshudian.com
avintor.com
pushedtotheedge.com
computerdustcover.info
rkqpdgfj.com
baltimorepropertysolutions.com
uthome4sale.com
amvnkq.men
parkapiki.com
bcnnet.online
jerseyhighend.biz
fgas.ltd
kafeventos.com
fourmseeding.site
52yinong.com
wildgrapevine.info
learnfxlive.com
bm849.com
mbafftest.com
xionganshotel.com
day4pt.com
xmzwgc.com
nationalprofileplusmagazine.com
glizmb.men
makeuphealthtoolsvip.win
waitingwords.com
faku.ltd
premierbasketballacademy.com
askoshop.site
mindingmymindset.com
igopin.com
iamlab.tech
royalgroupind.com
filmy-popcorn.com
perfectclass.info
samanthagrace.studio
adservice.download
china1.ltd
novisma.info
droidi.net
zozome.com
titansbrasil.com
bolipy.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/3040-12-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/3040-16-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/3040-17-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2580 app.exe 3040 app.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\app.exe -boot" app.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2580 set thread context of 3040 2580 app.exe 36 PID 3040 set thread context of 1212 3040 app.exe 21 PID 3040 set thread context of 2816 3040 app.exe 34 PID 3040 set thread context of 1212 3040 app.exe 21 PID 1864 set thread context of 1212 1864 help.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language help.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3040 app.exe 3040 app.exe 3040 app.exe 1864 help.exe 1864 help.exe 1864 help.exe 1864 help.exe 1864 help.exe 1864 help.exe 1864 help.exe 1864 help.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3040 app.exe 3040 app.exe 3040 app.exe 3040 app.exe 3040 app.exe 1864 help.exe 1864 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe Token: SeDebugPrivilege 2580 app.exe Token: SeDebugPrivilege 3040 app.exe Token: SeDebugPrivilege 1864 help.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2784 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 31 PID 2248 wrote to memory of 2784 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 31 PID 2248 wrote to memory of 2784 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 31 PID 2248 wrote to memory of 2784 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 31 PID 2248 wrote to memory of 2588 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 33 PID 2248 wrote to memory of 2588 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 33 PID 2248 wrote to memory of 2588 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 33 PID 2248 wrote to memory of 2588 2248 JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe 33 PID 2816 wrote to memory of 2580 2816 explorer.exe 35 PID 2816 wrote to memory of 2580 2816 explorer.exe 35 PID 2816 wrote to memory of 2580 2816 explorer.exe 35 PID 2816 wrote to memory of 2580 2816 explorer.exe 35 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2580 wrote to memory of 3040 2580 app.exe 36 PID 2816 wrote to memory of 1248 2816 explorer.exe 37 PID 2816 wrote to memory of 1248 2816 explorer.exe 37 PID 2816 wrote to memory of 1248 2816 explorer.exe 37 PID 2816 wrote to memory of 1248 2816 explorer.exe 37 PID 1212 wrote to memory of 1864 1212 Explorer.EXE 38 PID 1212 wrote to memory of 1864 1212 Explorer.EXE 38 PID 1212 wrote to memory of 1864 1212 Explorer.EXE 38 PID 1212 wrote to memory of 1864 1212 Explorer.EXE 38 PID 1864 wrote to memory of 1312 1864 help.exe 39 PID 1864 wrote to memory of 1312 1864 help.exe 39 PID 1864 wrote to memory of 1312 1864 help.exe 39 PID 1864 wrote to memory of 1312 1864 help.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵PID:1248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD554ef2f2acdf62dfb40fc32aab1f46307
SHA13f3640685b7af5b52a13d49cfd1cf5364114e317
SHA256f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d
SHA5123ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03