Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe
-
Size
32KB
-
MD5
f1c3f3fd59134c31b3448774b293bf95
-
SHA1
e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c
-
SHA256
69fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1
-
SHA512
28fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed
-
SSDEEP
768:4T4wO+LokS0JARrVibDdPNfLxdGGVRSnZj5gjvb:wOaqrVSfq55ub
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2072 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1700 WinHelp32.exe -
Loads dropped DLL 2 IoCs
pid Process 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp32.exe WinHelp32.exe File created C:\Windows\SysWOW64\WinHelp32.exe f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinHelp32.exe f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1700 WinHelp32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1700 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1700 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1700 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 28 PID 2300 wrote to memory of 1700 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 28 PID 2300 wrote to memory of 2072 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 29 PID 2300 wrote to memory of 2072 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 29 PID 2300 wrote to memory of 2072 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 29 PID 2300 wrote to memory of 2072 2300 f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe 29 PID 1700 wrote to memory of 2800 1700 WinHelp32.exe 30 PID 1700 wrote to memory of 2800 1700 WinHelp32.exe 30 PID 1700 wrote to memory of 2800 1700 WinHelp32.exe 30 PID 1700 wrote to memory of 2800 1700 WinHelp32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1c3f3fd59134c31b3448774b293bf95_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WinHelp32.exe"C:\Windows\system32\WinHelp32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WINHEL~1.EXE > nul3⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\F1C3F3~1.EXE > nul2⤵
- Deletes itself
PID:2072
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5f1c3f3fd59134c31b3448774b293bf95
SHA1e9115855617c9c1bbd1e9d2fa6e0d6fecc803e6c
SHA25669fddd7d5610aaf5c007a7bf4d42ccec1f0ee2d6f33e3a3e5d1caac5be483ce1
SHA51228fc259b9253049d741e7fe0cfb14704d2e0a08991801989727109896d27608a48081f123c18176d959ce841c62575fb61e773f959ce9bc6729dbf7a943993ed