Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe
-
Size
271KB
-
MD5
e839a7ebd4bf4a630749e04cf34e62ad
-
SHA1
12adba3923291f9d17fda545d7f9e112af184378
-
SHA256
efcc3e0d27010b244563f684d50b801fc819f7359f477f36411fbc9afa112455
-
SHA512
45b5e992d88f09b5b30e932f9cd20d40fbea10ecbb6f2a8ad6512de851787e42f778faef76eac478b47c4da53bf87e2e541d716217413a2652be22df872b8fb1
-
SSDEEP
6144:q+FNvDu5NMsd+mF9gNMrhsgRx2aHNs8DtD1SpUxo:lFxDAdMmF94KZJ+h
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1076 bf74e7c99621aa5a.exe -
Executes dropped EXE 2 IoCs
pid Process 1076 bf74e7c99621aa5a.exe 3012 bf74e7c99621aa5a.exe -
Loads dropped DLL 3 IoCs
pid Process 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 1076 bf74e7c99621aa5a.exe -
resource yara_rule behavioral1/memory/3000-1-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3000-10-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-11-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-15-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-73-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-74-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-75-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-76-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-77-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-78-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-79-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-80-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-81-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-82-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-83-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-84-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-85-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-87-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-86-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-88-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-89-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-91-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-90-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-152-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-153-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-155-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-154-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-156-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-157-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-159-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-158-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/3012-161-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1076-160-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bf74e7c99621aa5a.exe\"" bf74e7c99621aa5a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bf74e7c99621aa5a.exe\"" bf74e7c99621aa5a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bf74e7c99621aa5a.exe\"" bf74e7c99621aa5a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bf74e7c99621aa5a.exe\"" bf74e7c99621aa5a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1076 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 28 PID 3000 wrote to memory of 1076 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 28 PID 3000 wrote to memory of 1076 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 28 PID 3000 wrote to memory of 1076 3000 e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe 28 PID 1076 wrote to memory of 3012 1076 bf74e7c99621aa5a.exe 29 PID 1076 wrote to memory of 3012 1076 bf74e7c99621aa5a.exe 29 PID 1076 wrote to memory of 3012 1076 bf74e7c99621aa5a.exe 29 PID 1076 wrote to memory of 3012 1076 bf74e7c99621aa5a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\bf74e7c99621aa5a.exe:*C:\Users\Admin\AppData\Local\Temp\e839a7ebd4bf4a630749e04cf34e62ad_JaffaCakes118.exe *2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\bf74e7c99621aa5a.exea ZZZZZZYZSTG3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
271KB
MD5b3ea5bc8989299dbf959986e26ba3edb
SHA1194c47a2ad1004e1e0ed5696cf91f67a39b51129
SHA2564c34dd047e4decffb0ccd24e2e5eddaf79ab5c065a72985143a456fb6dc71e1f
SHA5129703e962fbe1a13c73c13eb0e45f66396061512336b91377e3ec341a62d6dbdf51532d9dbe8817d20df6e4c791ba6b0fc8607db470510827296bbe4100d27aac