Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 03:44
Behavioral task
behavioral1
Sample
fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe
-
Size
81KB
-
MD5
fe59dcb118d51aef74acc8140866d7fa
-
SHA1
80d93e5db6ea8213de203eb95e2356e24effcc74
-
SHA256
b634efb07d33e2c97e695b8243a03ce3e4c479eda37317dafb15764c9891decd
-
SHA512
9fd59926f4dc0ede73b465dae49b9bff73cf29fbd633c9340ecbce1d032aecac4c4a7e30671ad85c71aa9948301421601685dc64aa68ec62f230f8c91db2febe
-
SSDEEP
1536:+VtjAKqURk0Ex/tIWLSYGc5cmFF+TTdGka2dQe5GrpXLap:CN1qURFY/RLSO5cmFY9GMdKGp
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2704-19-0x0000000000400000-0x000000000046B000-memory.dmp family_blackmoon behavioral1/memory/2196-9-0x0000000000400000-0x000000000046B000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2704 Systemlfesi.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 Systemlfesi.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/files/0x0007000000014b63-8.dat upx behavioral1/memory/2704-19-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2196-9-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe 2704 Systemlfesi.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2704 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2704 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2704 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2704 2196 fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe59dcb118d51aef74acc8140866d7fa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\Systemlfesi.exe"C:\Users\Admin\AppData\Local\Temp\Systemlfesi.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5aba9cd664e9da8bca0399f2e19245fa3
SHA120de734829af8497baf8e663e38ea5d98f5bea74
SHA256e2c1bddc46dcd965af9f787b8a0cef22c47703838fc7955f936b6e79890ee2af
SHA5128305d8976c46f8029f6df10131f8a84740bed834aaa9ace4d71ac7936ef5ed457f5b0b0094833f4a8fb12b69a85410945c89eae2eea8492a520c4bc11258489d
-
Filesize
81KB
MD5f8fc7c3a73ea4887485f9154a0bb2126
SHA12420adce11bb1a0ab4b2fc674fd568fd34654f68
SHA2561cdac4e16816fee7b02ca78aeaa9b5be918c8aa757d266cb651e8d73124754e8
SHA512826c0302325fc48d32dbba1dbe87b0ba0a9c0d657016c000ecd30e191f852cc7b501533b769ad7dbda0af9b5b798c00e59acb20422c9a10d2a4789615c3937a7