Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 10:53
Behavioral task
behavioral1
Sample
03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe
-
Size
3.1MB
-
MD5
03bb334fcbb230bba9dea158f2968ae1
-
SHA1
ae6eb8cad29afe900828643e562dad2c2e9e55a4
-
SHA256
71e00c5a1eade66c9fd48eab9516d70b46f77b8c390af265bb66f7603cd121b5
-
SHA512
c49894fd9e78da381d3e861bcc82ae44a60f0a1c3c52e34cb293b929ec09a73ded0825e6acbdaae10c903200f72b3c05b405edb149367aeb863054b9ffdc587e
-
SSDEEP
98304:gTYxUL/vVGvDi/Ek27iFhQU6e0XLoZSAv0yVLg:GnXgi/Ek2WkUZZ5MyVg
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2088-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-17-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-19-0x0000000000400000-0x0000000000712000-memory.dmp xmrig behavioral1/memory/2088-15-0x0000000003750000-0x0000000003A62000-memory.dmp xmrig behavioral1/memory/2088-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/3052-25-0x0000000003150000-0x00000000032E3000-memory.dmp xmrig behavioral1/memory/3052-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3052 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3052 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2088-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000a0000000122b8-16.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe 3052 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2088 wrote to memory of 3052 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe 29 PID 2088 wrote to memory of 3052 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe 29 PID 2088 wrote to memory of 3052 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe 29 PID 2088 wrote to memory of 3052 2088 03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\03bb334fcbb230bba9dea158f2968ae1_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3052
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5e5644911a566096dc5daaea198896a30
SHA1c37d9811768a864f8fe39106565a7c9d6f9cce53
SHA25675dd034d75ae1d29b739b16ea1be39ef0eae41856cac7afb11be82c0efb8544c
SHA5128af29fb26aaa80cb9dbb07f9763e1be2b45d669f8273680308cba5845221efa7f328f28c035498772daaf56a6dee45033913a21bf55148e714b6781e86464564