Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 07:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe
-
Size
158KB
-
MD5
df2e1a5648b130f214e61c251d710188
-
SHA1
e3b705fb05cd816d012362798ec5deea57f7a483
-
SHA256
46ca77c13ede88ed1dc4be9b4cc30c743288533e11b54a6e7139123a19ce8f47
-
SHA512
dd380774c8c3dc2219b9109e5886382d5919a1b1dc13b8352d4835ee3d90a1c9e445b3360a9c62ed21d88da60e41945eebbed19e49443ea47cbc98dcaba1ce86
-
SSDEEP
3072:qKtfDwsjPThTYszDH2fHVUcdPuPHfEjETjPNtSweAhPXjSvZmXHlfHYTo:BtfDwsjPThT5zL2dBUPHfAETTNt2Apz0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2904 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2976 Logo1_.exe 2588 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2904 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe Logo1_.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A460FDBD-01C6-4800-8EDB-C87720E1D9B6}\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe File created C:\Windows\virDll.dll Logo1_.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2904 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 28 PID 3004 wrote to memory of 2904 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 28 PID 3004 wrote to memory of 2904 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 28 PID 3004 wrote to memory of 2904 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 28 PID 3004 wrote to memory of 2976 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 30 PID 3004 wrote to memory of 2976 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 30 PID 3004 wrote to memory of 2976 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 30 PID 3004 wrote to memory of 2976 3004 df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe 30 PID 2976 wrote to memory of 1284 2976 Logo1_.exe 21 PID 2976 wrote to memory of 1284 2976 Logo1_.exe 21 PID 2904 wrote to memory of 2588 2904 cmd.exe 31 PID 2904 wrote to memory of 2588 2904 cmd.exe 31 PID 2904 wrote to memory of 2588 2904 cmd.exe 31 PID 2904 wrote to memory of 2588 2904 cmd.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a35B0.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df2e1a5648b130f214e61c251d710188_JaffaCakes118.exe"4⤵
- Executes dropped EXE
PID:2588
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD5c854163bf1378221cf6f1b6775cd4e0b
SHA1507b9056eabf582acd098fc7eb37ec7b1d776ea0
SHA256bfd8d8849785656ac0764a9c31e8ab3da0ad4b7883fd9c7e3cfc398108abd1d0
SHA5124a147887d9c1a7fbbd255b6fcb436cd15a51bdb3265e784d828a25ea2e97280f01ca2a6b7759a6e83c45749e1c3b3792be0b082d18a9875a40f08d9040f8a631
-
Filesize
100KB
MD55cb5adb9d9b10cc96ca71e9dce5e5085
SHA137175531b42ce7dded08b25e9ea1508d1d610cdf
SHA25688284e1badbb2d64c763cfa3cd2c25a3d4985396bed091f042ee00a83cfc23af
SHA512e611f97a279ef274c5282560767bc922d514fc9ea5bace40ff8c517d13dc749a9c73b9fd4b4ee629270d9999a18e9c6f683bb35f5c1ffd484c2fa5e2b8e5aad2
-
Filesize
58KB
MD5c9744814ccdabc3274e7562e65ef2d47
SHA1ac3c9e04ea4049aed591e33e11ebddea97e50d27
SHA2568fece78c786e66ea55e43a96ca72687aec61eb7e83e9b748572c95ea793a9ce8
SHA512f5b5dc9a737a1ef82d029c0d37864725253d1e28aa45231002f2d4054069dcec5e820d9630fafab8a004142eb41ea584487331ef435d14d2bbdfbd42825056ec