Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 04:30
Static task
static1
Behavioral task
behavioral1
Sample
a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe
-
Size
296KB
-
MD5
a3d28bbd0b2f5f2347f7113713655a36
-
SHA1
95b01da3e88c7431ef90d8dae712f499ce4bf349
-
SHA256
8e2aa6984e3a2000d4bbb71717233a8160f526b22eff47c950e148e567f360ed
-
SHA512
48f59d844d2ca3c86f19ed14679a44f911d49478cdf0587d43d805c4e5e03ffa5429a8c9b1ab2c160104e02a5471ef8edc26f713229b1bf455b48a2742d507be
-
SSDEEP
6144:Y0bxAZut+anmcqHuk2gGaK46ynMqyzdwoiUN1SpQM:tNAZ18mVOk2AQJN0Z
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2484 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1444 zyov.exe -
Loads dropped DLL 2 IoCs
pid Process 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zyov = "C:\\Users\\Admin\\AppData\\Roaming\\Ipbahy\\zyov.exe" zyov.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1008 set thread context of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe 1444 zyov.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1008 wrote to memory of 1444 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 28 PID 1008 wrote to memory of 1444 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 28 PID 1008 wrote to memory of 1444 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 28 PID 1008 wrote to memory of 1444 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 28 PID 1444 wrote to memory of 1036 1444 zyov.exe 17 PID 1444 wrote to memory of 1036 1444 zyov.exe 17 PID 1444 wrote to memory of 1036 1444 zyov.exe 17 PID 1444 wrote to memory of 1036 1444 zyov.exe 17 PID 1444 wrote to memory of 1036 1444 zyov.exe 17 PID 1444 wrote to memory of 1064 1444 zyov.exe 18 PID 1444 wrote to memory of 1064 1444 zyov.exe 18 PID 1444 wrote to memory of 1064 1444 zyov.exe 18 PID 1444 wrote to memory of 1064 1444 zyov.exe 18 PID 1444 wrote to memory of 1064 1444 zyov.exe 18 PID 1444 wrote to memory of 1116 1444 zyov.exe 20 PID 1444 wrote to memory of 1116 1444 zyov.exe 20 PID 1444 wrote to memory of 1116 1444 zyov.exe 20 PID 1444 wrote to memory of 1116 1444 zyov.exe 20 PID 1444 wrote to memory of 1116 1444 zyov.exe 20 PID 1444 wrote to memory of 1008 1444 zyov.exe 27 PID 1444 wrote to memory of 1008 1444 zyov.exe 27 PID 1444 wrote to memory of 1008 1444 zyov.exe 27 PID 1444 wrote to memory of 1008 1444 zyov.exe 27 PID 1444 wrote to memory of 1008 1444 zyov.exe 27 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29 PID 1008 wrote to memory of 2484 1008 a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe 29
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1036
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3d28bbd0b2f5f2347f7113713655a36_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe"C:\Users\Admin\AppData\Roaming\Ipbahy\zyov.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VUP2799.bat"3⤵
- Deletes itself
PID:2484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267B
MD5ea03e3af3cd85e601242c1fa7a57eb17
SHA1973c77f82b44116de152e4134dbe8e1f3ac3706c
SHA256ff6ad21b96d4f38fe09ff0c23ac54590d956e5be9db2df88cd40767b66d957f8
SHA512121bf2fb7e6b56864c29ff149f8cc12440e3899b6abd596ea6ee98b2f6679ec38fd4c2ee6594c38ca76421d0cdf69257091d3509f93184fe4b75eac338ab6b5d
-
Filesize
296KB
MD50cad14653c713f1aa305a48097a146d9
SHA19c75d1675fd6beacf1c449b909680d5278b94191
SHA256a0ee91feaaccfe8f6695b7212072b4c2f6b3737d73c04c783479618bb87a0d35
SHA512b1ec36fd1749bf53210addbc7f44a8c8706412f00d781d14109f73dea55cbe4d925295048127fd9e6c4069aed3bc2c1e4a3e692a53b83b4debb895eca868ef6a