Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe
-
Size
419KB
-
MD5
fae5bc119748afb806e0434ee5383ced
-
SHA1
20ccab4e26073dd84499aa4d5fda3956bb89aeea
-
SHA256
2254eef7ac6a99a1fb5427c1f6b822968f9be32cb585812d757e0ae8c7c0ed15
-
SHA512
2439e096ffa898a52cbb7b6f8240ddc7c453324ed66d001dd6298d845047ca378ea67ccb07a2cf42b1c9df81055f2e54763dfbe38f424c8f391b003d7699584c
-
SSDEEP
6144:8/QiQP0jOQcZN2Wo0V4g060xXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:UQiG0jOl2WT4glcGpX98iR4o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp -
Loads dropped DLL 4 IoCs
pid Process 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\K7 Computing\K7TotalSecurity fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Sophos\Sophos Anti-Virus fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2892 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2892 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2008 wrote to memory of 2216 2008 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe 28 PID 2216 wrote to memory of 2820 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 29 PID 2216 wrote to memory of 2820 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 29 PID 2216 wrote to memory of 2820 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 29 PID 2216 wrote to memory of 2820 2216 fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp 29 PID 2820 wrote to memory of 2892 2820 cmd.exe 31 PID 2820 wrote to memory of 2892 2820 cmd.exe 31 PID 2820 wrote to memory of 2892 2820 cmd.exe 31 PID 2820 wrote to memory of 2892 2820 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp"C:\Users\Admin\AppData\Local\Temp\is-JFRV0.tmp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.tmp" /SL5="$70120,139431,56832,C:\Users\Admin\AppData\Local\Temp\fae5bc119748afb806e0434ee5383ced_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-OQVGD.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24B
MD5f8f8258012893e0a2c957d226bdd7587
SHA1ed482b5f912ef2d31e2b231df6b6e3b64967390c
SHA256c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2
SHA5126e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1
-
Filesize
786B
MD57e453c870461413e456bd0fa99ceab39
SHA1a6c8801e329203faf1ee15254959013caa1615d9
SHA25644609a6d658ae60ed93016e64fe794f6ae6b0e3eabb1135f145453d5c92a5f06
SHA512ba0654c68b91a1d44165dd68498244f36051dc659627e12b79eadb6ded16e3c41458eb4b8eb9c1d898878eccac3e2fd33763d48e63287374179e8b590b4ac2e8
-
Filesize
694KB
MD586462bc76b244bac73ee6ffe47354be2
SHA1c66462dc233887f86f9e05ee36086de4edfd99b6
SHA256e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9
SHA512c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
202KB
MD5d54c47b27c5a0f5f395f074af17b8a64
SHA13c37efec1578cbb864b43f416f71d06ec20daca1
SHA25642223ecdb9e7ec04c97564f4c7e48041188ded79d6f9dfe87910483babcf58f1
SHA51253e23fe72f7ebf79da84c32e514e20ee730481c6d79eb5432630321505673c8bc26c7040dfe6eb209ded1422efe89731b3a84c2ca610e801964aaa222539b697