Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe
-
Size
494KB
-
MD5
02c5b014c1f35449be73aa3989aa9752
-
SHA1
3d5b95bd472dac8ee39f774aaf6224ec4f4de263
-
SHA256
f0c0480082c004272fc5038e61a2d1db3890182321c4ed5fdb831bdc35d68cba
-
SHA512
40826cf9fb4ba8148fa7465a0490ba1ad94ea963441b654a95d37caba3f001b7432ea93bfd6f1aefb5a21149c1b9a8c72bf2f5ec45868e405060416621dc6e90
-
SSDEEP
12288:VokHg3IpIlaUS2k0XmaS7s8yF3Z4mxxVVI/TAaH9FYMquQptuKEqlJ:5AYKlaUlOs8yQmXnIkaHpqfu/qlJ
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "C:\\Windows\\svchost.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2576 4.exe 3032 svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 2576 4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe 4.exe File opened for modification C:\Windows\svchost.exe 4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2576 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 28 PID 2284 wrote to memory of 2576 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 28 PID 2284 wrote to memory of 2576 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 28 PID 2284 wrote to memory of 2576 2284 02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe 28 PID 2576 wrote to memory of 3032 2576 4.exe 29 PID 2576 wrote to memory of 3032 2576 4.exe 29 PID 2576 wrote to memory of 3032 2576 4.exe 29 PID 2576 wrote to memory of 3032 2576 4.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02c5b014c1f35449be73aa3989aa9752_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD549b83848ac9e1bedc734173349491c56
SHA1257140b427b28a8f4e3cf5e7cc4be572759a9a0d
SHA2566da99af43de134ded9c55093be54b6d57c174fd11d1bea923765ff052ab43f05
SHA51223a24007259edf1550d55a4dec01129db6d1adc13d02a75837a9ade5fbaf2f698e6c52ca74f73c247da076d3a53b4fc2081ecd03c0b8b059793cab7c61a462a1