Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
-
Size
356KB
-
MD5
f377c45fa62047578d8d8650e5468a27
-
SHA1
529a01aab9d23110f151fba78380bea04399914d
-
SHA256
3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
-
SHA512
ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81
-
SSDEEP
6144:7vbx84d/xDLY1hn1sL9cXiBmagG12+cJfBUOyIjyDq:7XfLwsRcXciBUOf3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2668 rYNVOxKfBTgl.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 rYNVOxKfBTgl.exe 2668 rYNVOxKfBTgl.exe -
Loads dropped DLL 4 IoCs
pid Process 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 2668 rYNVOxKfBTgl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spxoFiL3t9Lvgo = "C:\\ProgramData\\JNKhpeYUcQh2W\\rYNVOxKfBTgl.exe" f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2372 set thread context of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2560 set thread context of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2668 set thread context of 2480 2668 rYNVOxKfBTgl.exe 32 -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2796 2372 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 28 PID 2796 wrote to memory of 2560 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 29 PID 2796 wrote to memory of 2560 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 29 PID 2796 wrote to memory of 2560 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 29 PID 2796 wrote to memory of 2560 2796 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 29 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2560 wrote to memory of 2668 2560 rYNVOxKfBTgl.exe 30 PID 2668 wrote to memory of 2520 2668 rYNVOxKfBTgl.exe 31 PID 2668 wrote to memory of 2520 2668 rYNVOxKfBTgl.exe 31 PID 2668 wrote to memory of 2520 2668 rYNVOxKfBTgl.exe 31 PID 2668 wrote to memory of 2520 2668 rYNVOxKfBTgl.exe 31 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32 PID 2668 wrote to memory of 2480 2668 rYNVOxKfBTgl.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /i:26685⤵PID:2520
-
-
C:\Program Files (x86)\Windows Media Player\wmpshare.exe"C:\Program Files (x86)\Windows Media Player\wmpshare.exe" /i:26685⤵PID:2480
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD57989d519dfa094e3a6c458cbe26a8ebd
SHA1fa856b25c180fa83a5d0a2d6648c8917a750dee3
SHA256f2c2042df7f9510939b609952c4bb5bad4470f136cc4f403a850f7b9c01aff27
SHA5123598565f3f30586708bd16b9ecaa773f6271239d18fecae3fb0ae0b74c005ad8f1e53d9f2a2a26d527f9a137fa9da41167642c3832035dedd2a26afbea3f8fcc
-
Filesize
356KB
MD5f377c45fa62047578d8d8650e5468a27
SHA1529a01aab9d23110f151fba78380bea04399914d
SHA2563962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
SHA512ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81