Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
e7a1c76348e312d3283a9ffd8d4666f8
-
SHA1
0033583fab7f91bed1e98fa9f6fbca6194189861
-
SHA256
42bade7a7d1828e0f9a35b471c9230439c518935ad6ca89ae6f9479966750f37
-
SHA512
15ee4e43802280921ee053f634a0f6f5cb4bc4a4de547cd75557f90660dc82fb413103b7786d61635d8b933e9806d68752c897485da733d4087f5a3c2d8ea7c4
-
SSDEEP
49152:OFUcx88PWPOpX0SFohtNjbTmWbGVdzIKJa4eR6OPgCj4kyGc:O+K88uPCHWWWbG/zF04eUOPgk4kyGc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1260 2980.tmp -
Loads dropped DLL 1 IoCs
pid Process 1996 e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2084 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1260 2980.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2084 WINWORD.EXE 2084 WINWORD.EXE 2084 WINWORD.EXE 2084 WINWORD.EXE 2084 WINWORD.EXE 2084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1260 1996 e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1260 1996 e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1260 1996 e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1260 1996 e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe 28 PID 1260 wrote to memory of 2084 1260 2980.tmp 29 PID 1260 wrote to memory of 2084 1260 2980.tmp 29 PID 1260 wrote to memory of 2084 1260 2980.tmp 29 PID 1260 wrote to memory of 2084 1260 2980.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\2980.tmp"C:\Users\Admin\AppData\Local\Temp\2980.tmp" --splashC:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.exe CBD70694CC54B3D38E6C328DAEEDB19CC2011A4140A30AF5D5AA93CD3A5B8EDFF7E6B1E2E0AF6D693FE7931AD31F02607CA3E8FC1731FF764E37B65BF6166B852⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e7a1c76348e312d3283a9ffd8d4666f8_JaffaCakes118.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD54046ff080673cffac6529512b8d3bdbb
SHA1d3cbc39065b7a55e995fa25397da2140bdac80c1
SHA256f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680
SHA512453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418
-
Filesize
2.0MB
MD5e1f4ae4469a2bfd299261faa573a569e
SHA18ebc4c519d17318f710bf836ef0bedd4e40898c3
SHA256dfe66441a9a3fa55e487fb52b9f8bcbf9b4e18e1e38b9beb1dbc8739426ce203
SHA512956658256417eb8e0fd2344882ac6dd69eee1f850a963422b5857a049ae1466c664ef595c2cf0a40d12549484f21fcb3cbdd456ad4168dafce12130a41a2505b