Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 02:19
Behavioral task
behavioral1
Sample
01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe
-
Size
86KB
-
MD5
01fd9f49d6a03aeef2b20712164d3306
-
SHA1
79f87b61e5b765d3a2ad40bf8f94a85eb319269e
-
SHA256
fc4761303f787dc0aaff34c1d6864e5855b9bf3ba7029f6021ee078f280ac428
-
SHA512
cc98aff64384c3b59fbe8cc9f418c55518c297606b4c3d22256ef38213644eee3ee30fdc2d72d8b6496c673117e45a228a362ddf8031b3709edf3d8e5c0f98dc
-
SSDEEP
1536:YuMyiWMPfQSiy6kWLVvBOQ+ptrblnouy8:tSW+fQSIkQVv8QGJ9out
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2384 SiZhu.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0033000000015cec-3.dat upx behavioral1/memory/2196-5-0x0000000002E10000-0x0000000002E39000-memory.dmp upx behavioral1/memory/2384-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2196-24-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe File opened (read-only) \??\H: 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SiZhu.exe 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe File created C:\Windows\SysWOW64\SiZhu.exe 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SiZhu.exe SiZhu.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 2384 SiZhu.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 480 Process not Found 480 Process not Found -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2384 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2384 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2384 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2384 2196 01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe 28 PID 2384 wrote to memory of 2824 2384 SiZhu.exe 29 PID 2384 wrote to memory of 2824 2384 SiZhu.exe 29 PID 2384 wrote to memory of 2824 2384 SiZhu.exe 29 PID 2384 wrote to memory of 2824 2384 SiZhu.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01fd9f49d6a03aeef2b20712164d3306_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\SiZhu.exeC:\Windows\system32\SiZhu.exe SiZhu2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\~SiGou.bat3⤵PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD505f52e759c787bfbf843ba36ccf734a2
SHA12d81a279dd24a320a62d184fec747ca5f70570ee
SHA2564c9b671f2169b55c0265974d2d618e9e03060a0664da88c05ea580be9eb2a7a9
SHA512efcbce3fbcb8a0e22d4b41bfcf7afe73e5dd1bf4ceded4892fdd060e993dcf7c3930c989b6eb4fe1b690ced1f70a0e9ef75dfe6b5e2a61f9be14ef9169c6d172
-
Filesize
86KB
MD501fd9f49d6a03aeef2b20712164d3306
SHA179f87b61e5b765d3a2ad40bf8f94a85eb319269e
SHA256fc4761303f787dc0aaff34c1d6864e5855b9bf3ba7029f6021ee078f280ac428
SHA512cc98aff64384c3b59fbe8cc9f418c55518c297606b4c3d22256ef38213644eee3ee30fdc2d72d8b6496c673117e45a228a362ddf8031b3709edf3d8e5c0f98dc