Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
-
Size
691KB
-
MD5
029a591fb87c8ebbd7588414b7a03f9d
-
SHA1
1902c03277aa90fd50e79985c8d3e0c03662f72e
-
SHA256
7350461a9be443ef4cf08a9c303c13a08c12cc0b90fc15f71840f05565aa52f2
-
SHA512
85f0743d447d3e5e36403a66c883698961ef0eab28ca747f1a683dfc2ebb57b953eba6050268ca6c3477f7f977fafd738487af42897927afa89c60064cbadbf2
-
SSDEEP
12288:W6SUiOOt9+jCe2v3Qn4W/bLqt79BC5erwUZ8WpwJF3Z4mxxUDqVTVOCA:W6Sht9yCe2K5vqJC5erwfW6JQmXDVTzA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2768 3.exe 2548 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
pid Process 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 3.exe File opened for modification C:\Windows\Hacker.com.cn.exe 3.exe File created C:\Windows\uninstal.bat 3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2768 3.exe Token: SeDebugPrivilege 2548 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2548 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2768 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 28 PID 2368 wrote to memory of 2768 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 28 PID 2368 wrote to memory of 2768 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 28 PID 2368 wrote to memory of 2768 2368 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 28 PID 2548 wrote to memory of 1672 2548 Hacker.com.cn.exe 30 PID 2548 wrote to memory of 1672 2548 Hacker.com.cn.exe 30 PID 2548 wrote to memory of 1672 2548 Hacker.com.cn.exe 30 PID 2548 wrote to memory of 1672 2548 Hacker.com.cn.exe 30 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31 PID 2768 wrote to memory of 2552 2768 3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:2552
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD567e4ea2c3e65d3236c8266b9c116f67f
SHA17e87f925ccd68b2b7c9af9f92e118db1990234f9
SHA2562dff6c390d03870cec06d16fe0191475fb87ad2330b78d03c15e7ff0bed8f00c
SHA5121a3cf0443e932b9b57f32531b3d61c917b9eec19a4ba73336011041e16a0022c5e62b2c768b34a0bdc08ffd75bbaa0338719577001496c9de8a5638420b0a229
-
Filesize
777KB
MD54ceb88b18a18bf88197d6c9032c565ba
SHA133492b16a638a794be51c1331a97c13e94bc7f04
SHA25664a1b05197833f8af011c935b46c41addb9d4d23c89e63a9a5d9c99a93bf2c54
SHA5125e79db8e46c1796f7fb859253c98ab550c9d69e78c0c8429cfdb1d8c542a076435af23507e836167a4d37b42ae2476f13c39ae9da3bce1082f4120f71e8d5929