Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 19:44
Static task
static1
Behavioral task
behavioral1
Sample
e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe
-
Size
867KB
-
MD5
e84294ec1372ff50f87f0292d93a0447
-
SHA1
5b1ce3dfdb2f35d7f0b386e4d607e4e341edb28e
-
SHA256
b441d70043458ea02a33d185ba174b8f12e772d27d1c68514a16890d7dbb8180
-
SHA512
8144ff3bdf85a48063d3c8b2f37cd6926b09798f3bb146941cc53d68906439ce95857cfe0473860075897f6f69732d7036c3dfea561a3d53f114890219bcced7
-
SSDEEP
12288:UlUUxvOae0+98PYVQ2V7qL7sb4lDY1qd8XmtXaoRGpK0VEary4d:U/08PWkp6Eem8oRGpK0VEqy4d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2420 10E3.tmp -
Loads dropped DLL 2 IoCs
pid Process 2020 vbc.exe 2020 vbc.exe -
resource yara_rule behavioral1/memory/2020-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-41-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\Users\\Admin\\Desktop\\Sys32c.exe" e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1296 set thread context of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 1296 wrote to memory of 2020 1296 e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2420 2020 vbc.exe 29 PID 2020 wrote to memory of 2420 2020 vbc.exe 29 PID 2020 wrote to memory of 2420 2020 vbc.exe 29 PID 2020 wrote to memory of 2420 2020 vbc.exe 29 PID 2420 wrote to memory of 2652 2420 10E3.tmp 30 PID 2420 wrote to memory of 2652 2420 10E3.tmp 30 PID 2420 wrote to memory of 2652 2420 10E3.tmp 30 PID 2420 wrote to memory of 2652 2420 10E3.tmp 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e84294ec1372ff50f87f0292d93a0447_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\10E3.tmpC:\Users\Admin\AppData\Local\Temp\10E3.tmp C:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""4⤵PID:2652
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD55bf83457a4e2a6936ad7b8c6189a3c84
SHA1a27c81614fb5e18170bb1cd169a7d19516370492
SHA2569f7d96545320213689f436fb1d8ec2d582f983723969723169e74b05fc58dc27
SHA51235edc545ad3a4c044c666c4d5361e345b5e9c43cbecaa1ca9df92f7fd1052a4bddc97a999d968d0fe454f1f9366ae78314b918808e8b6247825a9891dee07d0f
-
Filesize
53KB
MD54509361ff09e3c2f1af857ab53236290
SHA10b0ccddff1229538c8eac12df03b16897c911c66
SHA256310943677b8f610fb1250e8f392a3a76fc9864ac7599861049e37ce4cebc0b53
SHA5121edf0d383dbd066e346587f89841fbed8566f30dafc1f3df51bd67171fe01d6af39605119758e7d943a9eeb02bb67efe1ee77db33ec033c55e2f3c7519ad0c1e