Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/04/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
-
Size
208KB
-
MD5
01c07d09ff212f857e96c20e57e4b4fc
-
SHA1
641f73b9004808f62c308c634993ed4137cee914
-
SHA256
21579b6c8c0f5588ab7c20813f1fb0ba52e9a1647733456a39529327c45af8ed
-
SHA512
8ddc52aa7fc4e31f335ae03d7caca969961efe66cd4253eb02ba495e737d0b59854ba8db123bc3b316cde8f00b3de185120a22d259d3484f3e100a4ea67066d1
-
SSDEEP
6144:arYTgEMnRNL+I3YHBC/vMYRbbdfHKpkEj1:OBrI6U8IpkC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2980 VPHS.exe -
Loads dropped DLL 2 IoCs
pid Process 2232 cmd.exe 2232 cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\windows\system\VPHS.exe 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe File opened for modification C:\windows\system\VPHS.exe 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe File created C:\windows\system\VPHS.exe.bat 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 2980 VPHS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 2980 VPHS.exe 2980 VPHS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2232 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2232 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2232 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 28 PID 1152 wrote to memory of 2232 1152 01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe 28 PID 2232 wrote to memory of 2980 2232 cmd.exe 30 PID 2232 wrote to memory of 2980 2232 cmd.exe 30 PID 2232 wrote to memory of 2980 2232 cmd.exe 30 PID 2232 wrote to memory of 2980 2232 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system\VPHS.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\windows\system\VPHS.exeC:\windows\system\VPHS.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68B
MD55d770fbd12ee07784da19c50b97941a3
SHA1596e3b6c4a873f458c94a4061c7ecaaead018e48
SHA256a22258a94f4bc57d5c65667a1d488700d95f9d115da43171f4872f42a4db8d46
SHA5124ad05caa86d902f40b15a933128f608b0c66797cd58034a1b7b1829f3e41672183adc34de98fe1b98292cce503df02565a7ca8fee7aefb78e1421245fba66470
-
Filesize
208KB
MD542850fd14f23aa7c55820fb19ede80e9
SHA19bf5f1659132f3358db9e9662b947b754af3401c
SHA256ca5a51ea40bf03674033f9d63de86e9d9453027f1c21a9fb4d58993988edaba3
SHA5129b4455b8203eb3e059acde98f6e834858b81f2c68a9de08350a5e8335edd6e65b158d97826cdfa25a474cc177187c7eb145e855a2720c5f34fcd2985bba14416