Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 20:48
Behavioral task
behavioral1
Sample
c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe
-
Size
4.6MB
-
MD5
c261149d4e7f6c19bdb188c7f37f7d8f
-
SHA1
ae83e0ee118bc28cbb2fac3cb1c2e3346a8abaa5
-
SHA256
9c72dad5d73eefc96b1ff370e0e35b3744dea6134a7ddaef6bcd881521f6538d
-
SHA512
ad5c52ecfaca9deccc4a7f2c5591093d5266556029a34fcd944dab0daef1be2f9d754c69fc3207dd004e6e701ea23b893fd9bd801fea60d79c7d3b1162115418
-
SSDEEP
98304:kUCP180L5+irxQKnAjAtHZO4VZAlBOIbU+dZq5ojlbHl8dr47n:kRO0LZrxD5O4VZAZUq85SlbSBun
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/1920-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1920-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2788-19-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2788-24-0x00000000030A0000-0x0000000003233000-memory.dmp xmrig behavioral1/memory/2788-25-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2788-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/2788-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2788 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2788 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1920-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000b00000001224c-10.dat upx behavioral1/memory/1920-15-0x0000000003930000-0x0000000003C42000-memory.dmp upx behavioral1/memory/2788-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe 2788 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2788 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe 29 PID 1920 wrote to memory of 2788 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe 29 PID 1920 wrote to memory of 2788 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe 29 PID 1920 wrote to memory of 2788 1920 c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c261149d4e7f6c19bdb188c7f37f7d8f_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2788
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5bc6e6cab2f2ad2d331195bdeadfcd612
SHA1ea03a6db4ad2b4ee6a72802df3db90f6f44319fc
SHA256aadd62efa5b91a321b62db05118265bf8e8c62f9a4649340b0c4bf91cccd18e7
SHA5122d2d65a8283155392a23d0416c00e461fe1c223d6d2662e089e88b7851368f0dd785f92b34200406e94edf6a0d481e84a3388135601d9dc6c5e56f01719d2b21