Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 20:37
Static task
static1
Behavioral task
behavioral1
Sample
0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe
-
Size
7.6MB
-
MD5
0f744a9b527782edb75cf171a19cf96e
-
SHA1
a4f8ebd208a5ba36c0d8196db794ceb268b95282
-
SHA256
a62861c40c19bc3182c67314c02c2e8b082845ca611e9bad2553257b2743e777
-
SHA512
934549bab0635a4610b51a262254e2ec5e9305d488c6be4d684408ee551f066734192fcd7135b7f37338847ecff611cd7e8c6b6661d4d6a30bde79290a88d6e8
-
SSDEEP
196608:eZuEy3k/C47lParzuJ6Dx0jyiNgifBtUnIhuTbyYDJfqFtev:2w3kK47p4KIuae361TbyYtqFt2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2528 servbrow.exe 2504 servbrow.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\servbrow.exe 0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTcbPrivilege 2528 servbrow.exe Token: SeChangeNotifyPrivilege 2528 servbrow.exe Token: SeIncreaseQuotaPrivilege 2528 servbrow.exe Token: SeAssignPrimaryTokenPrivilege 2528 servbrow.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2372 0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe 2528 servbrow.exe 2504 servbrow.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2504 2528 servbrow.exe 31 PID 2528 wrote to memory of 2504 2528 servbrow.exe 31 PID 2528 wrote to memory of 2504 2528 servbrow.exe 31 PID 2528 wrote to memory of 2504 2528 servbrow.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f744a9b527782edb75cf171a19cf96e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2372
-
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Service1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\servbrow.exe"C:\Windows\servbrow.exe" /Popup2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5afa3f2b3dfe43d9ea75b0f4f186df215
SHA15d5092ed20267e77ae9d92b99118d49bb653b2b2
SHA256efe3d26cebe8baeeeb41c105ba3a06d33f27101fcaeebd8cb10000f207b09798
SHA5127a99cc205e2c61e29cad06cab92119b939ea02f2ac0598a1c0317db83ddcbd7a0b662b5c470cfac1dae258249dd783233e58196ba267825a62b38983ac14e82f