Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe
-
Size
209KB
-
MD5
fea58d9d6c8ffe3fa4bbbf067b95c9f1
-
SHA1
d888b58da02629e2741e3d85c1cd8b3e9c7b9df4
-
SHA256
7f0b5209ef361052f519f4d6cf088e953aaef5e530e906dcbcdf583c8272739f
-
SHA512
df6656f0869463f2141f7a3cf3b691bc95cafd47f2b298ddac5bec3f52679312b07ebb7037476a94c27da2b5b0d246063664ed03a7779d63f4d1f109cac362d5
-
SSDEEP
6144:Dl2/rr3UFw0bh+RxYclqC24LwzG7Su+UqK9FbLeF:QE+wxcl52UwUSaLL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2512 u.dll 2576 u.dll 1248 mpress.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 cmd.exe 3016 cmd.exe 3016 cmd.exe 3016 cmd.exe 2576 u.dll 2576 u.dll -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3016 2184 fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe 29 PID 2184 wrote to memory of 3016 2184 fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe 29 PID 2184 wrote to memory of 3016 2184 fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe 29 PID 2184 wrote to memory of 3016 2184 fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe 29 PID 3016 wrote to memory of 2512 3016 cmd.exe 30 PID 3016 wrote to memory of 2512 3016 cmd.exe 30 PID 3016 wrote to memory of 2512 3016 cmd.exe 30 PID 3016 wrote to memory of 2512 3016 cmd.exe 30 PID 3016 wrote to memory of 2576 3016 cmd.exe 31 PID 3016 wrote to memory of 2576 3016 cmd.exe 31 PID 3016 wrote to memory of 2576 3016 cmd.exe 31 PID 3016 wrote to memory of 2576 3016 cmd.exe 31 PID 2576 wrote to memory of 1248 2576 u.dll 32 PID 2576 wrote to memory of 1248 2576 u.dll 32 PID 2576 wrote to memory of 1248 2576 u.dll 32 PID 2576 wrote to memory of 1248 2576 u.dll 32 PID 3016 wrote to memory of 1532 3016 cmd.exe 33 PID 3016 wrote to memory of 1532 3016 cmd.exe 33 PID 3016 wrote to memory of 1532 3016 cmd.exe 33 PID 3016 wrote to memory of 1532 3016 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1861.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save fea58d9d6c8ffe3fa4bbbf067b95c9f1_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\3469.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\3469.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe346A.tmp"4⤵
- Executes dropped EXE
PID:1248
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:1532
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e4f4fe0d74d4b6adcba64cd91a5829c2
SHA13ef1a1e5fa5c11853bdfd484832e7a25639f46a4
SHA25647d7796cf3fd334ab2b7e6cd4a84fdbaaa405c0d1d707b4d3e498e4f8ed4759c
SHA512dc1421151d3ffaf132743b4898cec84a4a4e53e57441f551fdad38e1228a7554dae0ffb5b149c9354e38f8d83464556956ca27d61a4da78cf006709a7a49b763
-
Filesize
24KB
MD5256233a5d3eea9b41e645230beae1aa7
SHA1e224f2b691d1938a9580ec752d1c5de1017685ed
SHA256cddba6bd4c84380da65492af085a71321d4c31f1800d0d4e8cb5fbd2a7c3a0ac
SHA512922cc94d623e83be072f79750ff6ff391b9ee724d0f3b360afbd77f81dbe6bd1e173d7dc634b90a666da9d09d59efff7152fa473ada29736af0d588f9c4d0e55
-
Filesize
41KB
MD5ced9fdba93c6c0a69c43a7fc783d0182
SHA13919692fb4669491dd6a24c6bb16f430d0a43e7e
SHA256a3bf78576222c5da88aea0b9196a2d1003618e4bc9de921d3bac3a2c65ded3fc
SHA512ab94864403a39322f8587ef946a34e06311ef27d051c4023e29e599ac85cd9bfa15dfcb94f491bbc4a95753f33f28a768b22621cba654c8060daa5df03c73ec2
-
Filesize
700KB
MD59ea19135c5f4066ec4b4d174e449a048
SHA1e660123c8bdb78bd462f4409775cc001fcb48a82
SHA25633480a20d4109e995a5b40b5185dbe50175489aa235675938bcd526b9a5491a8
SHA51249983b1b29c84bf03f43f93d378f81da38ca3c07b5070ca0d9e0f0fdec3312fedca114a35443b1df4fde31c7396fa88a534da1280497b857fc32ef88ecd019c4
-
Filesize
1KB
MD57cd7224d304d26111b38a6d336fc7f88
SHA18c356820f011db04cc534312eb18355bad3afef6
SHA256f2bd6777bd6403ef1abc4cec56530732307cfb7ac3b2104f6b8dd857971d4822
SHA51293e7c72a519bdb414b2335379c61a5fc7c1d783d80369b5403e4d5986fe565331d649636d364d97381ec5dee27b6e1491ac251712bc1a27b3c6016429d83fac0
-
Filesize
1KB
MD5f3331c7ae4aeeeb6eb55fea808e96428
SHA11f11ed87fb76fe0140fb3b9294557f13db167700
SHA256c607b580e50c780e6a17e33375385b2cfcb087097b33a402da1b33266605c1a6
SHA512392dc4095a967d8521e126bad26df136f157fe75fe6ddcd9f6d4586c6813854fa496bcbaa2d5bdd7cdcf6b74afd1798a3ccd7387580106e20aed0333867d4449
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e