Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
-
Size
273KB
-
MD5
0646e2421f3a63c98770c935861d5f40
-
SHA1
b647d050bad1ef9aab1d356f161dd084fa4948a3
-
SHA256
0c7b9568523ef7d404acc23a8de9ef789e772f97809aa5ccda8f6ea9ec8fd2ad
-
SHA512
a6f82d7388aabe2a80361de844bfb324863d2baf65a9cd2857f993c3a960f36fb3c84a07c83d79d778a220ed258144642667b2d0362747d26a99ba6a0c33e979
-
SSDEEP
3072:aESJj+qJS6WehSHl9vEpMulJSBoZ4UhUGkeXg8Ab+yqdDCknGyjlvF57OOooo/M4:aE5HZ6SuPZ4XGAbIdHGYvGxtEA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2992 server.exe -
Loads dropped DLL 2 IoCs
pid Process 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2992 server.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2992 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2992 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2992 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe 28 PID 3000 wrote to memory of 2992 3000 0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe 28 PID 2992 wrote to memory of 1360 2992 server.exe 21 PID 2992 wrote to memory of 1360 2992 server.exe 21 PID 2992 wrote to memory of 1360 2992 server.exe 21 PID 2992 wrote to memory of 1360 2992 server.exe 21 PID 2992 wrote to memory of 1360 2992 server.exe 21 PID 2992 wrote to memory of 1360 2992 server.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5daf06a1e22703e46893b94147f52c5aa
SHA154f152e20a2ca5fcbb23419fe4b1a72063cb20c3
SHA2562dca6749a6c8a0fb47b0c8168f5e59077c52d469a765f7371ce2574a197e58e8
SHA512f00fd465a3d464d6c202e7e1b88574bdb325e9df8b717e2146b7e5b9a0c951e3de782a4bea3486bdee40ff473715b02a4aaddc90e856c0760684f072e38dc142