Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
-
Size
24KB
-
MD5
d74029dd8757698561295c4c3c3f1318
-
SHA1
683172b2cc1a4728cc5e563f514d522b94cc4fcb
-
SHA256
2794ad4803afafc6eb7ef4d6a5eb79bc991de79d096fb6042a505eb69807defc
-
SHA512
160de2b838cf9c740b715063c96786b6c2933bce8601212a0edc2810b4df7f804ccb68be54dd5510757732cc9d319f5e5cb6033b62760ddcebc4d43bdb69dd65
-
SSDEEP
384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5t0:bGS+ZfbJiO8qYoAC
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2648 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2588 ipconfig.exe 2432 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 tasklist.exe Token: SeDebugPrivilege 2432 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2896 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 27 PID 2148 wrote to memory of 2896 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 27 PID 2148 wrote to memory of 2896 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 27 PID 2148 wrote to memory of 2896 2148 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 27 PID 2896 wrote to memory of 2596 2896 cmd.exe 29 PID 2896 wrote to memory of 2596 2896 cmd.exe 29 PID 2896 wrote to memory of 2596 2896 cmd.exe 29 PID 2896 wrote to memory of 2596 2896 cmd.exe 29 PID 2896 wrote to memory of 2588 2896 cmd.exe 30 PID 2896 wrote to memory of 2588 2896 cmd.exe 30 PID 2896 wrote to memory of 2588 2896 cmd.exe 30 PID 2896 wrote to memory of 2588 2896 cmd.exe 30 PID 2896 wrote to memory of 2648 2896 cmd.exe 31 PID 2896 wrote to memory of 2648 2896 cmd.exe 31 PID 2896 wrote to memory of 2648 2896 cmd.exe 31 PID 2896 wrote to memory of 2648 2896 cmd.exe 31 PID 2896 wrote to memory of 2228 2896 cmd.exe 33 PID 2896 wrote to memory of 2228 2896 cmd.exe 33 PID 2896 wrote to memory of 2228 2896 cmd.exe 33 PID 2896 wrote to memory of 2228 2896 cmd.exe 33 PID 2228 wrote to memory of 2556 2228 net.exe 34 PID 2228 wrote to memory of 2556 2228 net.exe 34 PID 2228 wrote to memory of 2556 2228 net.exe 34 PID 2228 wrote to memory of 2556 2228 net.exe 34 PID 2896 wrote to memory of 2432 2896 cmd.exe 35 PID 2896 wrote to memory of 2432 2896 cmd.exe 35 PID 2896 wrote to memory of 2432 2896 cmd.exe 35 PID 2896 wrote to memory of 2432 2896 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2596
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2588
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2556
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ea09c18f5de6098c507c52013663a0fc
SHA16cca12fec35c349ca647184c71076938cfa8f330
SHA256c184dd1fde882fcf6690f49f4fe268402e75b6fd2a64edeee9a664353a009ec4
SHA51277b65e049861cf78c4cda487b56bfb0ed427aed86480eb60b513b571deee0f160beb370f54cd39af0271f3ef3b2b63ecadcd394d84236577b92df234581fce7e