Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
-
Size
7.9MB
-
MD5
e58dd8f61151a54bfa678ddf428009e4
-
SHA1
52602ce35b7baf50a55ec1ece9a50733973afc01
-
SHA256
5a219dd672a2893e8d89222da783e1c83780fb6fd2daca5355439505aeb5682f
-
SHA512
6bb579a71196f1f8a2e55e87f0c7c4a1df1c482a2764ac3df6e685218f6bf85215abbb47126bcba1f0f8ce4ee389c4ee63ceb40754c73241bfabf2155bb328c7
-
SSDEEP
196608:0dazg7DS8dazg7DS8dazg7DS8dazg7DSv:Rg7uJg7uJg7uJg7uv
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2696 7D57AD13E21.exe 2828 Scegli_nome_allegato.exe 2792 7D57AD13E21.exe -
Loads dropped DLL 3 IoCs
pid Process 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2696 set thread context of 2792 2696 7D57AD13E21.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Scegli_nome_allegato.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Scegli_nome_allegato.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2604 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2828 Scegli_nome_allegato.exe 2828 Scegli_nome_allegato.exe 2828 Scegli_nome_allegato.exe 2792 7D57AD13E21.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2604 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2604 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2604 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2604 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2696 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2696 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2696 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2696 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2828 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2828 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2828 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2828 2124 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33 PID 2696 wrote to memory of 2792 2696 7D57AD13E21.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
-
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD5eed15422edc954ce5024b531cb32716b
SHA12b0c73bffa73cef621398797465cd1251a136f0f
SHA256857ca32f0bd6b38993cdd091d12f9f07af2794fbca6a7779a815328469890671
SHA512e2743353503de81cf0f55ffb34889ab62b3da7ce9691a3693110bd2b0043bd47cc04680110939740e538a3b23a0e0d7a621db7b21bf3f4a9317ee868ca26f2be
-
Filesize
1.0MB
MD5a2f259ceb892d3b0d1d121997c8927e3
SHA16e0a7239822b8d365d690a314f231286355f6cc6
SHA256ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA5125ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad