Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22/05/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65f873803715af67ab51efb7075e74d5_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240508-en
General
-
Target
$_3_.exe
-
Size
1.8MB
-
MD5
799caa8125d22c36004c2a67fcacffa4
-
SHA1
eadd26fa7f4b437d3e9fdd24f937ca2e8a212654
-
SHA256
29745a486c04a8a2766814c5e0fb752a8dbc7b384a63e398d7262b315a8d49b5
-
SHA512
7c5d7dc18bf735bd4bf4452c850cc6fb4d3c98d9aa32a9873a4ca43349b6622b599452ee3b71ca07298e2d5aba58ece92815e74574ca1b56abaf7e99ebb4f8c2
-
SSDEEP
49152:aSNY8H0ZGF5j51XdQTPRPgo/x1NslvUOl/WkMWA:hY00Z8F1XdU
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 468 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2060 $_3_.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2060 $_3_.exe 2060 $_3_.exe 2060 $_3_.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2060 wrote to memory of 872 2060 $_3_.exe 30 PID 2060 wrote to memory of 872 2060 $_3_.exe 30 PID 2060 wrote to memory of 872 2060 $_3_.exe 30 PID 2060 wrote to memory of 872 2060 $_3_.exe 30 PID 872 wrote to memory of 468 872 cmd.exe 32 PID 872 wrote to memory of 468 872 cmd.exe 32 PID 872 wrote to memory of 468 872 cmd.exe 32 PID 872 wrote to memory of 468 872 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\$_3_.exe"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5197.bat" "C:\Users\Admin\AppData\Local\Temp\B6D41BF7D182489995EFEC4265BFD9AB\""2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:468
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD5739fcc7ba42b209fe44bea47e7a8c48f
SHA1bc7a448a7c018133edcf012bc94301623eb42c5b
SHA25669017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c
SHA5122b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a
-
C:\Users\Admin\AppData\Local\Temp\B6D41BF7D182489995EFEC4265BFD9AB\B6D41BF7D182489995EFEC4265BFD9AB_LogFile.txt
Filesize9KB
MD59a664156644c5b6a30090e04dc487e33
SHA1c94533ef67d5b50654edf616878df3dc70a0f5b6
SHA25677d527509d304efff903a02d9718bebb29997ad53a435892b690ea4c4b953de3
SHA5124c2e9cb3c537726f064fccbcb0b6b0de59ad9b0ea545ae14cfd8a637e3481fd65ce5a640765716e9b561a4da566c784fb29381e4987a0e1bc79b16a95aaec257
-
Filesize
111KB
MD5d6bd87ff1d141c719e6f3468bf1dec01
SHA17eb7f6a3dc424e7c669f4755bd36d3cecff71a48
SHA25688dc1a5f183d9e14718c1212640711bb7a61f24cae415a576bfc5bedeb37b67e
SHA5125b52f5ed4303dbf309b62ea4fe254582ef46a7746106db46fa15f95e2cb59520eac0b08a17053f093a9e45db54b86786ab2c9697962334946b30354c952f4ecb