Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 00:33
Static task
static1
Behavioral task
behavioral1
Sample
e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe
-
Size
316KB
-
MD5
e8cc2d9b5f578d667e721cc96fffd308
-
SHA1
135443ccd69fe9529e3066de67a447014566aada
-
SHA256
cb147546c928a60d504152b525998f439b3bdb39d77e7772f3b9ff2e60011f3e
-
SHA512
48c73b6b291cc7901725611b63628ebb167b1bf23ab12a66aa2f2f60bd746e2fc840ba14234507f7b2a530dd8be4e74fdb6446c7b85a7cdf7a6bccb78340b679
-
SSDEEP
6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiE5SnUW7YTcw:FytbV3kSoXaLnTosloIUW0r
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2936 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2832 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2832 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2832 2224 e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe 28 PID 2832 wrote to memory of 2936 2832 cmd.exe 30 PID 2832 wrote to memory of 2936 2832 cmd.exe 30 PID 2832 wrote to memory of 2936 2832 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e8cc2d9b5f578d667e721cc96fffd308_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2936
-
-