Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 21:22
Behavioral task
behavioral1
Sample
e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe
-
Size
5.3MB
-
MD5
e87174de1f9469b7c2ca893081c6b9a2
-
SHA1
d91cfeb8244d4cb9240066bb9ef236fd5190bc23
-
SHA256
28d8582629c56c92fd6db4b892fa1a7e3960127767c403eb471d13c853bdcd7e
-
SHA512
9f7521f6add3e4cf41c54e0bf24ac63aa9ad47beed72bba5bcb127827ced45522bc300faaa28c3febf70a95cad5748edf28b542ccf599b828c58c4b115b81f46
-
SSDEEP
98304:pNHJ6ZWw7RPHrCwFjCH0Q2rpF27HA7lTeBh9O3cQY3GSHrCwFjCH0Q2rpF27Hj:pv68w7RPHuI47elTezsSHuI47D
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2872 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2872 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1736-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000c00000001224c-13.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe 2872 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2872 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe 28 PID 1736 wrote to memory of 2872 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe 28 PID 1736 wrote to memory of 2872 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe 28 PID 1736 wrote to memory of 2872 1736 e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e87174de1f9469b7c2ca893081c6b9a2_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2872
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD55bd6fac9450b340f262fb45bc116d04a
SHA1bbe64113a4dd81d12bf3fb2687e35cfdaaed7107
SHA2564d17b33dc17cbbdb0da2e5f4f6bbb5655005cb59dc46ac48a8c7fdd6d5b638aa
SHA5126aadd16fbff03828150f6c059d5251f50bf393db44f974003f37e425c79cd1932ac53e1bf532b5a5f90975e900b9962f271ddcddb32418046b17ee16f4636ab6