Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs
Resource
win10v2004-20240508-en
General
-
Target
90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs
-
Size
13KB
-
MD5
90a735151a77588219846f19ab4cff23
-
SHA1
ccca632ea7f4c30f5e7775bd6965b798a3ffcaf0
-
SHA256
f0bf52dc1164a874bda22dabcc5ee73d370b411ea1152d62ea7a6d0e1e2e455e
-
SHA512
beabd1f5575f1e8e748db7b1aca482ce3b676fcf8113b55604bdf1bd950a7ecc6963d424f00f834ce4b1608aaa5bad391c66ec00dccffeda8a61a8944ff140ad
-
SSDEEP
384:EDzzVqiGagRYwZSFFOECXCghDSHXWmZg1r+9f7qN:szxqagRYwZSGECXCgMmsgV/N
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90a735151a77588219846f19ab4cff23_JaffaCakes118 = "wscript.exe //B \"C:\\ProgramData\\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\90a735151a77588219846f19ab4cff23_JaffaCakes118 = "wscript.exe //B \"C:\\ProgramData\\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90a735151a77588219846f19ab4cff23_JaffaCakes118 = "wscript.exe //B \"C:\\ProgramData\\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\90a735151a77588219846f19ab4cff23_JaffaCakes118 = "wscript.exe //B \"C:\\ProgramData\\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2788 2036 WScript.exe 28 PID 2036 wrote to memory of 2788 2036 WScript.exe 28 PID 2036 wrote to memory of 2788 2036 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\ProgramData\90a735151a77588219846f19ab4cff23_JaffaCakes118.vbs"2⤵
- Drops startup file
- Adds Run key to start application
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD590a735151a77588219846f19ab4cff23
SHA1ccca632ea7f4c30f5e7775bd6965b798a3ffcaf0
SHA256f0bf52dc1164a874bda22dabcc5ee73d370b411ea1152d62ea7a6d0e1e2e455e
SHA512beabd1f5575f1e8e748db7b1aca482ce3b676fcf8113b55604bdf1bd950a7ecc6963d424f00f834ce4b1608aaa5bad391c66ec00dccffeda8a61a8944ff140ad