Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad
Resource
win10v2004-20240419-en
General
-
Target
0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad
-
Size
64KB
-
MD5
0f0a325038e6b73c763ea43167fd174f
-
SHA1
62702709e24f83a470998d8371fe210144a75bf6
-
SHA256
7ce22c078ab3333a227b869d411232a92a844acd1ddfb96a14bd931943edaedf
-
SHA512
6a5488b70c4f4285d9e93540be918580e9e019a8c354f098bc686c4ef5ac710d9b1f7577eb5bc9d4c4f6f37ed1b59579b1a8a2c49983f148fd2fa9669d0691e5
-
SSDEEP
1536:exY2pxBWG1vAxhEopjvtK2MjWOgVcfseL5y:cVhYVlFUjWOgmfsedy
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2852 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 AcroRd32.exe 2852 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2592 1940 cmd.exe 29 PID 1940 wrote to memory of 2592 1940 cmd.exe 29 PID 1940 wrote to memory of 2592 1940 cmd.exe 29 PID 2592 wrote to memory of 2852 2592 rundll32.exe 30 PID 2592 wrote to memory of 2852 2592 rundll32.exe 30 PID 2592 wrote to memory of 2852 2592 rundll32.exe 30 PID 2592 wrote to memory of 2852 2592 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0f0a325038e6b73c763ea43167fd174f_JaffaCakes118.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50f817779b2b49b1055acf47ae31e6892
SHA19342eb724414344b6c392bfbeb9ef323660b97c8
SHA256f5632057db0df0cf0275e6dad1c75853eff9e1bc1c7b37e5d6699e42cfd7818c
SHA512223e33e18f403dd29d19ea8db1d80aabff1d1ed12ab090abd3943af17f8bbd487d63d270fd1682c79d326a5b6c5938a7194e30b75cd8eca564637ae5399020b8