Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
-
Size
209KB
-
MD5
f162da35436879620e40d6ccad225f73
-
SHA1
a756403fb1c035f70a3d508a83e2dcc38be3a613
-
SHA256
eab3e220aa4c8e86d6c1eab628dca854e0fdbe953920c65a4169609a31fd5f4f
-
SHA512
996158b2540bc7f41e0bf62056ddd3ed6e9290a871ebf8c9a6249685cce847488c86f448297766ac0aaef599653b0c354524583c93d26f9fa2c80d7904a1b3e0
-
SSDEEP
6144:zldXtrMT5ndLtnDo2P28a7DFl2tQqkOC:v9wFdLtc2+84DFl2qc
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2152 u.dll 3032 mpress.exe 2264 u.dll 2324 mpress.exe -
Loads dropped DLL 8 IoCs
pid Process 2616 cmd.exe 2616 cmd.exe 2152 u.dll 2152 u.dll 2616 cmd.exe 2616 cmd.exe 2264 u.dll 2264 u.dll -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2616 2952 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2616 2952 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2616 2952 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2616 2952 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 29 PID 2616 wrote to memory of 2152 2616 cmd.exe 30 PID 2616 wrote to memory of 2152 2616 cmd.exe 30 PID 2616 wrote to memory of 2152 2616 cmd.exe 30 PID 2616 wrote to memory of 2152 2616 cmd.exe 30 PID 2152 wrote to memory of 3032 2152 u.dll 31 PID 2152 wrote to memory of 3032 2152 u.dll 31 PID 2152 wrote to memory of 3032 2152 u.dll 31 PID 2152 wrote to memory of 3032 2152 u.dll 31 PID 2616 wrote to memory of 2264 2616 cmd.exe 32 PID 2616 wrote to memory of 2264 2616 cmd.exe 32 PID 2616 wrote to memory of 2264 2616 cmd.exe 32 PID 2616 wrote to memory of 2264 2616 cmd.exe 32 PID 2264 wrote to memory of 2324 2264 u.dll 33 PID 2264 wrote to memory of 2324 2264 u.dll 33 PID 2264 wrote to memory of 2324 2264 u.dll 33 PID 2264 wrote to memory of 2324 2264 u.dll 33 PID 2616 wrote to memory of 1520 2616 cmd.exe 34 PID 2616 wrote to memory of 1520 2616 cmd.exe 34 PID 2616 wrote to memory of 1520 2616 cmd.exe 34 PID 2616 wrote to memory of 1520 2616 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EDF.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save f162da35436879620e40d6ccad225f73_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeF1F.tmp"4⤵
- Executes dropped EXE
PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\FF8.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\FF8.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeFF9.tmp"4⤵
- Executes dropped EXE
PID:2324
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:1520
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58538b78c03e73420e61fc787c11eedc5
SHA18cce66220d7c1ba66fea7e73307a7809a469d61f
SHA256337d6bc7a370da08d188a40d95d1053c3db5a135424a0fe21414aff7adba6355
SHA512d7de5421e3bfe9ac47bab8817904199236843076b4502c74b960116d4c09b0d2a2a8b903a7f39b4742f75b814fee2600e08ee8979a9198a0c73b24b1ebd6d6df
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD52962dfcac22070e3da981e1115397938
SHA109a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28
SHA256d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951
SHA5128efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a
-
Filesize
24KB
MD5b799e4b3cff5cefeb8355cff4153f617
SHA1cf39041f0b03033f148329b62c2f593ffb3ce8cc
SHA256e6f5642d95d82404f0c87ce3b455c662ad247d533cc01b0f454d194b244207c4
SHA51262e28c9cf91fd311d2dee021062a92eacf482455842a6f835afedfb368d84de089569ae032a37c85c05c4cc20d1e1aeeda2cda6e673fa42e00b80b19974b9f63
-
Filesize
41KB
MD57cb94ab71579f67dd8167ccb854b359a
SHA174e86a56f85e57d281d3ef96e9a37e1cbdf00234
SHA25694c019063145e6f988342dbbdad106f33eb452b627c2b49dab48e42491e84223
SHA512bc25d4d61dce320e970c357d81acc8bf825ebece79ca49fd5cc7ab6c997e1f68d293a6a7efbf4fcf9720f1a955fec1f89564d736f70c610f8b09adc19663002e
-
Filesize
24KB
MD54a5be32fb94601714c46d106925cc4f6
SHA1de1067395116b3a00152b34e24f6645770eaa2ee
SHA2565a4aed2b271398f6a9b7de1290e7e5586a19aef9c2437404355c8cf639faaf62
SHA51227796e99f88ff425751a976d721583a3084185137166a5083f6622cc5092b149e0943b98f96648b6f89ddf5759b870e715ca9aed5519c94e9a3dccb55dab8b8c
-
Filesize
700KB
MD503e84bf7ea2eba6e881e868ceefe2526
SHA109019ed20cf16847a264f5d1840ee0802f1778a6
SHA2568b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832
SHA51232a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026
-
Filesize
2KB
MD56673de6a1dabaa4d59c833242a49fa19
SHA147e0e5f7b280f53b363452108fa8343be26c2df6
SHA2567139c0e9fbcb0412bce31735778a63e64f9e33c1d03ebba7f5a23b13cde685ed
SHA512c279a16d873f716edd4b1400e4e2fa2ad65fc1bc72fbb0c78f0bf72506e127b4ac8fa46d853915e790771fe620776da0c1c570d1a957f69c2bacb8cd2c8b2e59
-
Filesize
2KB
MD5ab9504b1525917562748b9e6b410400e
SHA1ba9184d38fb1083ecdf71b06954587b88fd5fb51
SHA256feee03f75de6678b47b290934c7fe8a5e32e6b0f28b706cf8bdab7c164e9c14a
SHA5129de451d9b0fab08c53a33e50f09688acd380213eed4f8f0b1704cf5cec8e2deeb138666feb72e0813dd0140f4a22ed4b33e29a42b40b72a4a62ef8201b64b723