Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 11:26 UTC
Static task
static1
Behavioral task
behavioral1
Sample
345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240508-en
General
-
Target
345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
-
Size
967KB
-
MD5
345afdeff01a318bae48ef80ec680227
-
SHA1
1388f456fabffe068de6e39429afee0a0b4c9c72
-
SHA256
58cb93ebbf4fb0ccfa194ba814b45eb4413d9122a911806ca799494a7746b971
-
SHA512
2a7a4fe80de99462dbad49a087536dd93fd1904fd1ea47f2da711c006ac39b37ca91014a9067e8bc5c63d8b89028ab3e640b0acbec24bdabde83b3d861e21758
-
SSDEEP
24576:ztXCT35bEN60Yc/rMegvH6RK1aeGokgwHv:zKBtV6MjvH6RIrDCv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1652 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2940 3048 345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 28 PID 2940 wrote to memory of 2448 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2448 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2448 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 31 PID 2940 wrote to memory of 2448 2940 internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe 31 PID 2448 wrote to memory of 1652 2448 cmd.exe 33 PID 2448 wrote to memory of 1652 2448 cmd.exe 33 PID 2448 wrote to memory of 1652 2448 cmd.exe 33 PID 2448 wrote to memory of 1652 2448 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd123B.tmp/fallbackfiles/'2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9105.bat" "C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\""3⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1652
-
-
-
Network
-
Remote address:8.8.8.8:53Requestt8u4n6u7.ssl.hwcdn.netIN AResponset8u4n6u7.ssl.hwcdn.netIN A205.185.208.154
-
Remote address:8.8.8.8:53Requestc6m7w2m9.ssl.hwcdn.netIN AResponsec6m7w2m9.ssl.hwcdn.netIN A205.185.208.154
-
Remote address:8.8.8.8:53Requestfallback.playtech-installer.comIN AResponse
-
Remote address:8.8.8.8:53Requestlog.web-installer-assets.comIN AResponse
-
205.185.208.154:443t8u4n6u7.ssl.hwcdn.netinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe152 B 3
-
205.185.208.154:80c6m7w2m9.ssl.hwcdn.netinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe152 B 3
-
205.185.208.154:443c6m7w2m9.ssl.hwcdn.netinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe104 B 2
-
205.185.208.154:443c6m7w2m9.ssl.hwcdn.netinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe104 B 2
-
68 B 84 B 1 1
DNS Request
t8u4n6u7.ssl.hwcdn.net
DNS Response
205.185.208.154
-
68 B 84 B 1 1
DNS Request
c6m7w2m9.ssl.hwcdn.net
DNS Response
205.185.208.154
-
8.8.8.8:53fallback.playtech-installer.comdnsinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe77 B 77 B 1 1
DNS Request
fallback.playtech-installer.com
-
8.8.8.8:53log.web-installer-assets.comdnsinternal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe74 B 147 B 1 1
DNS Request
log.web-installer-assets.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\D76DACEAE6134388904C531847B4EA93\D76DACEAE6134388904C531847B4EA93_LogFile.txt
Filesize9KB
MD5a53d2bcd04a648af9e16c4ba860a32df
SHA15ae79c536c3e1e96eef960fa47d65092a6fa29f4
SHA2567ec4c3368fb3c3921b42a3a0245f6612892702c0babcdd1ac3471d2985b82c97
SHA5123ce1ded8435f66ab0e78d7dd89bb1532571fd18b7c5621f59ef7074ace98732d47ae5f535af2e48c3dbd8d1432b1c6ee7e460f1a18bafc3221fe8d0d513b7724
-
Filesize
103KB
MD5d739fe4a044870c8457cc7df27b8293a
SHA1e90fd4c9f230100f40e59baf1762f2decefd2da5
SHA2569348073b0bc758adfc383c29efbc46c112dbcba1d0a0525e6739ee6cec01f6d6
SHA512e5d285ea312c623c32b993f8656e7e3732d5dea3e0dbcf65ce5040bd0edf8a949e63d13fe609953aa588591b05580758cfc872d16eb62029c2939886df2c739f
-
C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_icon.ico
Filesize11KB
MD5592abe695d3fb84c8a7589b0d2553a97
SHA1d70d6de6fa25ca1924bd02b84075ee94f3870133
SHA256ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0
SHA512a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978
-
C:\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118_splash.png
Filesize136KB
MD50a8589de904eec91522c276d896216c4
SHA158ba5e9158c3afa3c3112fe1e24567996794c07e
SHA256496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55
SHA512bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd
-
\Users\Admin\AppData\Local\Temp\nsd123B.tmp\internal345afdeff01a318bae48ef80ec680227_JaffaCakes118.exe
Filesize1.8MB
MD577bfacca17ee1d89833b57f3a746d9a0
SHA1aa9490c913489c5eafd02f67f875efcb56d23036
SHA25638571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52
SHA51221ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f