Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
8b66691a3a6c87d11d4964c8fd32b90b
-
SHA1
49816c72fab22b7a4b6ca59247fea2a9f528689e
-
SHA256
aea377d46329bf15cb26702e69b2c892740a1e1f1bd6656a9cb15e04f85c5dd5
-
SHA512
6a4cede2217072daaf1a0a0a5945346c2fa5ccf576da7d3879f1263995e1e8a39d5cac7fc54fcf3fecef93a507f8715648158afc86dafdc4e7da8bd4db3abba6
-
SSDEEP
49152:HZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9R:HGIjR1Oh0Td
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3024 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1832 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1832 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1832 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 30 PID 2032 wrote to memory of 1832 2032 8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe 30 PID 1832 wrote to memory of 3024 1832 cmd.exe 32 PID 1832 wrote to memory of 3024 1832 cmd.exe 32 PID 1832 wrote to memory of 3024 1832 cmd.exe 32 PID 1832 wrote to memory of 3024 1832 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b66691a3a6c87d11d4964c8fd32b90b_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\11626.bat" "C:\Users\Admin\AppData\Local\Temp\D163B4BC9E49409F841C17D43C9AF9EC\""2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:3024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\D163B4BC9E49409F841C17D43C9AF9EC\D163B4BC9E49409F841C17D43C9AF9EC_LogFile.txt
Filesize2KB
MD505073b68b61997ab5e4ab056055b8323
SHA14bb897d1cb81631904c8d0c196c3735db13933cb
SHA256ec5eccd2c8d3f6bfe3cb0717964563b733b09141fa85be66960ba0d57423aff7
SHA512cf7d601b99a53c326793ae01b9295e67e2d001f43a32cf819bcb7178ae392fc680c28944f8434a447b52e4fb39f01990eb2fa6e7bfa0e22459d39df0f6acaef2
-
C:\Users\Admin\AppData\Local\Temp\D163B4BC9E49409F841C17D43C9AF9EC\D163B4BC9E49409F841C17D43C9AF9EC_LogFile.txt
Filesize9KB
MD55366c03b42f3a5ddb268525b8d5eccc8
SHA19fe03f22d17977a606d5f7030475f337c6c02f9e
SHA2560d4e938c51bf8437b61dc5752838b5171bbc8cfa92aa6740f3c3d45ad80d7802
SHA51293c5f3938c50a50e94406c481f9c2ec9fe3a13225f7ad4fb657b23468e21ec76eaf555fd4b8ae613aa48e4591be3cc8a22635c1640b9e1defef8d0e95c9b782d
-
C:\Users\Admin\AppData\Local\Temp\D163B4BC9E49409F841C17D43C9AF9EC\D163B4BC9E49409F841C17D43C9AF9EC_LogFile.txt
Filesize670B
MD56bb94fa36725316e4e165f81308ff323
SHA12e10811a97d1ed4f7945e13b89142830805b52da
SHA2569d8a5529701a318f68e3cac12c9692a890fe65c8580d7eae32f804962192a2a8
SHA5122a58859b9c0b90e509fa349bb275951c226c9cf53cc21eeb60f49484d52fb4ffd86cd2c586fcd54fdee885b4e5ce748854c4adb46e6d3d401444cf8670072632
-
Filesize
101KB
MD5f239f666c474ddfe326eb9a5da65b1dc
SHA145902771ba56ddb7435b759a76fc16c1c0ea05c7
SHA256232516659ef6070f8d2f3a9ff5fecdf1e9106d086829464d63f1b2522b4d4712
SHA512bef0c39c59b414d2f849b4bed9eeabe46d13cb495ba2e3646514fdd3b597eadfe26084544359d25460a62d17637e4a283872edbe6fcbfb9849f9befaaf88b89d