Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe
-
Size
470KB
-
MD5
4ffe3388b01c4fa555d1a55142c92005
-
SHA1
6ec41d56022c76b243e04a20be15c0e5c8211da6
-
SHA256
11ee054b9e93898ca9a4541f24980593640babda22bf014fb08ccc9f574fdb22
-
SHA512
f66d88996309258141a3dc8947f649b64a25d2a1e5d83f3ee805507e39d47b8138bc246aa7489cf616c411105e6426b3b21754bfc6bc8ebb72e85827fd562f4b
-
SSDEEP
6144:1CMmrKJ1uRdEcZ/vkiR8hozHiFNzsPNvCVieCtqkOSnd509p1q57FFLNn8x:1l7cZ/vFRfew9amnO4D09pi7Ff8x
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3032 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1468 PING.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 3032 2212 4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe 30 PID 2212 wrote to memory of 3032 2212 4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe 30 PID 2212 wrote to memory of 3032 2212 4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe 30 PID 2212 wrote to memory of 3032 2212 4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe 30 PID 3032 wrote to memory of 1468 3032 cmd.exe 32 PID 3032 wrote to memory of 1468 3032 cmd.exe 32 PID 3032 wrote to memory of 1468 3032 cmd.exe 32 PID 3032 wrote to memory of 1468 3032 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\4ffe3388b01c4fa555d1a55142c92005_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:1468
-
-