Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe
-
Size
320KB
-
MD5
fee84a3e918c3cca39ffc118bf5590e3
-
SHA1
de45b4e4885d2f85a0b584bdfeeb51eda4dd8ae2
-
SHA256
eb0cfa64be185bba99d30d1c965decfc330d8dca6c89f083a24b550e2c8b9203
-
SHA512
26d1deca007e21f828f3d9f4b80ad6fcc2ff11f92f3a133b8ebbaf7f893d36f384406659979b0452d807784b3273fd0a58c77d3d79e5c079c13117094e5305fa
-
SSDEEP
6144:Tjcd8YcU72998kF5YHvTD/mstQGE8xl0qHEDQD8yu:Ed3yxW3/msv9hu
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2780 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 upjawyva.exe -
Loads dropped DLL 4 IoCs
pid Process 2780 cmd.exe 2780 cmd.exe 2756 upjawyva.exe 2756 upjawyva.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2572 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2472 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2756 upjawyva.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2756 upjawyva.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2572 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2756 upjawyva.exe 2756 upjawyva.exe 2756 upjawyva.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2756 upjawyva.exe 2756 upjawyva.exe 2756 upjawyva.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2780 2948 fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe 28 PID 2948 wrote to memory of 2780 2948 fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe 28 PID 2948 wrote to memory of 2780 2948 fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe 28 PID 2948 wrote to memory of 2780 2948 fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe 28 PID 2780 wrote to memory of 2572 2780 cmd.exe 30 PID 2780 wrote to memory of 2572 2780 cmd.exe 30 PID 2780 wrote to memory of 2572 2780 cmd.exe 30 PID 2780 wrote to memory of 2572 2780 cmd.exe 30 PID 2780 wrote to memory of 2472 2780 cmd.exe 32 PID 2780 wrote to memory of 2472 2780 cmd.exe 32 PID 2780 wrote to memory of 2472 2780 cmd.exe 32 PID 2780 wrote to memory of 2472 2780 cmd.exe 32 PID 2780 wrote to memory of 2756 2780 cmd.exe 33 PID 2780 wrote to memory of 2756 2780 cmd.exe 33 PID 2780 wrote to memory of 2756 2780 cmd.exe 33 PID 2780 wrote to memory of 2756 2780 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2948 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fee84a3e918c3cca39ffc118bf5590e3_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\upjawyva.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 29483⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2472
-
-
C:\Users\Admin\AppData\Local\upjawyva.exeC:\Users\Admin\AppData\Local\upjawyva.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5fee84a3e918c3cca39ffc118bf5590e3
SHA1de45b4e4885d2f85a0b584bdfeeb51eda4dd8ae2
SHA256eb0cfa64be185bba99d30d1c965decfc330d8dca6c89f083a24b550e2c8b9203
SHA51226d1deca007e21f828f3d9f4b80ad6fcc2ff11f92f3a133b8ebbaf7f893d36f384406659979b0452d807784b3273fd0a58c77d3d79e5c079c13117094e5305fa