Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$_3_.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$_3_.exe
Resource
win10v2004-20240419-en
General
-
Target
$_3_.exe
-
Size
1.8MB
-
MD5
e35e058dd2119eb0f0e852f8738fbab5
-
SHA1
b7f9388398a9643eddb97a6c2ebaf28b6189c9a8
-
SHA256
17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556
-
SHA512
d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c
-
SSDEEP
49152:rc4u49CbNSFXVJUtSH9zaTRpSWa6zjQWLtm5YXld:rz4GFJUtYf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1908 $_3_.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1908 $_3_.exe 1908 $_3_.exe 1908 $_3_.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2136 1908 $_3_.exe 30 PID 1908 wrote to memory of 2136 1908 $_3_.exe 30 PID 1908 wrote to memory of 2136 1908 $_3_.exe 30 PID 1908 wrote to memory of 2136 1908 $_3_.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$_3_.exe"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10273.bat" "C:\Users\Admin\AppData\Local\Temp\5CF39B0703AD4A1BAAA3505DE0462BDA\""2⤵PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544B
MD564d9b2e67d9402c093e145a1bce4b918
SHA18b15b0d4457b670a113e74c3b077714fea2f2f37
SHA25633a143fc4d4b300ec30ce62d4845e70802ec4719e3b99baaa9d5c57bd39ec55b
SHA512686004e6d3571bf9dee81029e40da19c08387763a17c5a51a4148daebc5467f501f951075d43f3f7cd41748ca0e7d4f71485119fb216604ae8c2079ac3d12a03
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\5CF39B0703AD4A1BAAA3505DE0462BDA\5CF39B0703AD4A1BAAA3505DE0462BDA_LogFile.txt
Filesize5KB
MD595d746559b528b7d6ec4b69103b53e50
SHA1206f98d0e60468bc70d30d8689d24a5d9cce9f63
SHA256e1567fbb2f91405f9b564b56eb6c7ecd39b7d3d4553172827e566afe34b2ee3e
SHA5128e1c2f6b3a137acb533a81938aa01b07ba7b2d71bf673cffa5bd05ea48e073a95f5fbc29f1d4977d4532ee6e2e84613a397224ad11e33a179d67c1e51fe72744
-
Filesize
108KB
MD5cf8d403ca3e13a5291c8e965a6d7b907
SHA1a3825dd594eb636a02775a9938822bdf9fb3635f
SHA256a50dd713370e8fe63d20c28984bac6b9c19ee994607b40b5cfd45d48fd2187b5
SHA512b5fedfa210a65a23b10834ea7c67d290bf993859b29ebddd3fa9c1e3c1db95c348da6c6f7551eaedd9f61c0eece644769d987a584a1a94e9883ffadaa69d65d1