Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe
-
Size
24KB
-
MD5
f18634cacad918b0425c9a7dddf0d022
-
SHA1
fb2c8d42bc519f7f430093811019afc0139d42c2
-
SHA256
768f4f1f222a2a2f47799b0eb0874dca215d7b5918ee429c07d7d62a481b7e9d
-
SHA512
0b7c51c26d1eaa61b829cb23a26d2029c98f1575d646a19ca99a092af75f46807af8a295e2a2574acd16925a4a4082a73341a1b821c835d57c0827c4bc4fe2b9
-
SSDEEP
384:E3eVES+/xwGkRKJraRlM61qmTTMVF9/q5n0:bGS+ZfbJmO8qYoA0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2488 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2476 ipconfig.exe 2528 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 tasklist.exe Token: SeDebugPrivilege 2528 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2464 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe 28 PID 1628 wrote to memory of 2464 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe 28 PID 1628 wrote to memory of 2464 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe 28 PID 1628 wrote to memory of 2464 1628 f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe 28 PID 2464 wrote to memory of 2952 2464 cmd.exe 30 PID 2464 wrote to memory of 2952 2464 cmd.exe 30 PID 2464 wrote to memory of 2952 2464 cmd.exe 30 PID 2464 wrote to memory of 2952 2464 cmd.exe 30 PID 2464 wrote to memory of 2476 2464 cmd.exe 31 PID 2464 wrote to memory of 2476 2464 cmd.exe 31 PID 2464 wrote to memory of 2476 2464 cmd.exe 31 PID 2464 wrote to memory of 2476 2464 cmd.exe 31 PID 2464 wrote to memory of 2488 2464 cmd.exe 32 PID 2464 wrote to memory of 2488 2464 cmd.exe 32 PID 2464 wrote to memory of 2488 2464 cmd.exe 32 PID 2464 wrote to memory of 2488 2464 cmd.exe 32 PID 2464 wrote to memory of 1224 2464 cmd.exe 34 PID 2464 wrote to memory of 1224 2464 cmd.exe 34 PID 2464 wrote to memory of 1224 2464 cmd.exe 34 PID 2464 wrote to memory of 1224 2464 cmd.exe 34 PID 1224 wrote to memory of 2764 1224 net.exe 35 PID 1224 wrote to memory of 2764 1224 net.exe 35 PID 1224 wrote to memory of 2764 1224 net.exe 35 PID 1224 wrote to memory of 2764 1224 net.exe 35 PID 2464 wrote to memory of 2528 2464 cmd.exe 36 PID 2464 wrote to memory of 2528 2464 cmd.exe 36 PID 2464 wrote to memory of 2528 2464 cmd.exe 36 PID 2464 wrote to memory of 2528 2464 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f18634cacad918b0425c9a7dddf0d022_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2952
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2476
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2764
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5524361c3438360fa3470220f37014178
SHA1ba25338b13edd67380e9837267ba5bfd8d87e1b7
SHA25630347b219912e52fad5f624488d3bb7faae24747670c48a20093174506307384
SHA5121e9f60c4c813194087baf5b1fe197e3f977092b76e98f93fd1d67ebc143538be65ff70bbe939c7a91db467ad65f13a70bad32301cbb6d2c59d77a4cb1b9e47ab