Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 14:45
Behavioral task
behavioral1
Sample
e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe
-
Size
12KB
-
MD5
e2c5b96c2e7d8eab8c67326a13fe449a
-
SHA1
4518bfd39e40e6287fc2d2783a4d43b6ef652cc6
-
SHA256
d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0
-
SHA512
16eb8502660bbb3f3ce19e56121461cc2737eb6fdb3b33aad22a70a207093075f63e4d304a995b7dc03b85455b65a9a9d3336846f00a87de1f3b112de69cec11
-
SSDEEP
192:LWvtPFn/nnQQRd4x6/5GicffwP8SkuMW7z7lEPwzPeIEv/7pPNJTf8g:yFn/nnhRd4QBfafetZMEFzm/9PNZf3
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 2440 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1940 rexljehk.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1660-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/files/0x000c0000000131a1-3.dat upx behavioral1/memory/1660-4-0x0000000000230000-0x0000000000240000-memory.dmp upx behavioral1/memory/1660-11-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1940-12-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rexljeh.dll e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe File created C:\Windows\SysWOW64\rexljehk.exe e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rexljehk.exe e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1940 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1940 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1940 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 28 PID 1660 wrote to memory of 1940 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 28 PID 1660 wrote to memory of 2440 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 29 PID 1660 wrote to memory of 2440 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 29 PID 1660 wrote to memory of 2440 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 29 PID 1660 wrote to memory of 2440 1660 e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\rexljehk.exeC:\Windows\system32\rexljehk.exe ˜‰2⤵
- Executes dropped EXE
PID:1940
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\e2c5b96c2e7d8eab8c67326a13fe449a_JaffaCakes118.exe.bat2⤵
- Deletes itself
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD585bb108f9917b9bce9139a4e3dc136a2
SHA1cdccce71f6fbb0831781e79ed14a7853c007b0ba
SHA25603cc47917cacaf345e08cc77f98cbda58d6b8521c09b1e96643a536e0e6fc6fb
SHA5121615a990b5fadab1b781049d08f8fd3ee920fab02ef4400f31c91b3aee7c7522613bc4f99cfe2d2c1be5116f20ad2165cc20d08e6a63cc552be4185d63ebe430
-
Filesize
12KB
MD5e2c5b96c2e7d8eab8c67326a13fe449a
SHA14518bfd39e40e6287fc2d2783a4d43b6ef652cc6
SHA256d5c62df11d9b96104bdb9fd411142d931c621740b90c2ad790802f244251a0c0
SHA51216eb8502660bbb3f3ce19e56121461cc2737eb6fdb3b33aad22a70a207093075f63e4d304a995b7dc03b85455b65a9a9d3336846f00a87de1f3b112de69cec11