Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240508-en
General
-
Target
$_3_.exe
-
Size
1.7MB
-
MD5
d4c16982f8a834bc0f8028b45c3ae543
-
SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7
-
SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
-
SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
-
SSDEEP
49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2056 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1948 $_3_.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1948 $_3_.exe 1948 $_3_.exe 1948 $_3_.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2904 1948 $_3_.exe 30 PID 1948 wrote to memory of 2904 1948 $_3_.exe 30 PID 1948 wrote to memory of 2904 1948 $_3_.exe 30 PID 1948 wrote to memory of 2904 1948 $_3_.exe 30 PID 2904 wrote to memory of 2056 2904 cmd.exe 32 PID 2904 wrote to memory of 2056 2904 cmd.exe 32 PID 2904 wrote to memory of 2056 2904 cmd.exe 32 PID 2904 wrote to memory of 2056 2904 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\$_3_.exe"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10759.bat" "C:\Users\Admin\AppData\Local\Temp\D06C433B9A2146C293B2D9D21D6EB9B0\""2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:2056
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544B
MD58b155c14e73556d2437d4581491d0008
SHA17217aaa857a3d4a9058d5139609f1937c066c5e0
SHA256962d64385f9ed5f5e179e54fa26a3145a40305669221d0b06c72160f82619b05
SHA512b9b457f3566a54c7978301f2b8746c437c720dde35c7168996a33da9c4ecd685751aec634fb9f8316ef149fa2613ed4bd08e09d37d7e76b9caad4026cb3a32fc
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\D06C433B9A2146C293B2D9D21D6EB9B0\D06C433B9A2146C293B2D9D21D6EB9B0_LogFile.txt
Filesize4KB
MD59a892a63bfffe3e9ca96fff3a0848fea
SHA11b3745af75f8484d6fe5aa8dbc8c465f3d11e620
SHA2564fa3bc79bf3e9f7c477168fb640aea4d7376a7038029cf371b85eefc56161120
SHA5125954c8596edcbdbf29ead07923b6615cc1929bcb29c589c37bc980c3742d599ca0c095342953bcc173b09d636784fa35ac593249749b1a4928146ed89abe0216
-
Filesize
28KB
MD52d1700684046e09801f9827398ec1707
SHA11ef535ccdfd9a18ad96445eb79150d3f389303a3
SHA2562aed9af7288aed2e2f565ea017e58f97936079effa672dd18ef5827b6bfdb27a
SHA5122a2b4e2a6defd0cc8fd2a3b46d9d3c8881bc1719efacce8dac8bf540d3e38a988e34e1206800b1d82cdca323176bc1afc894e41abe6029a514b9d4d0a752beaf