Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe
-
Size
488KB
-
MD5
eca3118dc775aab05ef1351257bfe4aa
-
SHA1
7ab478a5bb1aa6ebcb7202e025247cfa6dcf6cee
-
SHA256
f840f8bc3076f63c76db69f9f6c76623e3db4a2bd70809a78b9c45a90535bfdc
-
SHA512
32956c8d7a9f51a1f263a6f704e78150b37c58e30957f640cf6d0c0544687bd0ab0543ada3cfc4078e0506f2e8b238ea472875695f3e805ea0f3b6185df8a8ce
-
SSDEEP
12288:FytbV3kSoXaLnToslMHyacM7fxJS+p4u/qm8pWLC1F:Eb5kSYaLTVlMHyrT+Em8sCn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2168 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2864 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe 28 PID 2232 wrote to memory of 2864 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe 28 PID 2232 wrote to memory of 2864 2232 eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2168 2864 cmd.exe 30 PID 2864 wrote to memory of 2168 2864 cmd.exe 30 PID 2864 wrote to memory of 2168 2864 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\eca3118dc775aab05ef1351257bfe4aa_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2168
-
-