Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23/06/2024, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
-
Size
702KB
-
MD5
0394186c7c72386cbdb20492e62c6500
-
SHA1
6bfa90ecbc280224c3fb49e90e04b1d4b055fe27
-
SHA256
9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582
-
SHA512
e36519d8984e8b5e4699fee127582853e9ab11e0d169421f64cfcc9945569892246255afc78ef1431eb1498f0be79542ae96dbad9c6dad63afffcd11cde69117
-
SSDEEP
12288:GDQAF1KvlY3wFUHrjLGawM29tyDnJYJpYxTCCzOdFZ7miHGj8/SGl:GDQg1Kv6KUj8GnJKMCDv5miHjSI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2612 EPSTP32U.EXE -
Loads dropped DLL 5 IoCs
pid Process 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 2612 EPSTP32U.EXE 2612 EPSTP32U.EXE 2612 EPSTP32U.EXE 2612 EPSTP32U.EXE -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\EPPRTDRV.CAB EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPSTP32U.EXE 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File created C:\Windows\SysWOW64\EPSETUP.CAB 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\EPSPTDVE.EXE 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File created C:\Windows\SysWOW64\EPPRTDRV.CAB 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\EPSMTL32.DLL 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\EPISPC98.EXE EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPINSTU.EXE EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPSTP32U.CAB 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File created C:\Windows\SysWOW64\EPSTP32U.CAB 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\EPINSTU.EXE 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\EPSPTDVE.EXE EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPSETUP.CAB EPSTP32U.EXE File created C:\Windows\SysWOW64\EPSCMINS.DLL EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPSDIW64.EXE EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\eps_icon.avi EPSTP32U.EXE File created C:\Windows\SysWOW64\eps_icon.avi EPSTP32U.EXE File opened for modification C:\Windows\SysWOW64\EPSCMINS.DLL EPSTP32U.EXE File created C:\Windows\SysWOW64\EPISPC98.EXE EPSTP32U.EXE File created C:\Windows\SysWOW64\EPSDIW64.EXE EPSTP32U.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2612 EPSTP32U.EXE 2612 EPSTP32U.EXE 2612 EPSTP32U.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2612 EPSTP32U.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28 PID 2852 wrote to memory of 2612 2852 0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\EPSTP32U.EXE"C:\Windows\system32\EPSTP32U.EXE" /y:"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
689B
MD57dedead70b4ccbc3d41b14522983a71c
SHA10cf3764616f1ba1ee2d748999d427fbfea7c00e3
SHA2567c779535d90c048e3b44fe6df50031214ee5ba2503c1ed4d07248dbb2f0cbee8
SHA512d07b8b1bbeeb379a886577f633c317a8b9b879409c789a8de8c9c5b439a5d523eef4f0e34bcc8397a779f9ec783e4e69f82f334db102abbf385315aa22d1016f
-
Filesize
3KB
MD53e9de36cb754b587786ccae9429624c1
SHA1f770fa0151e8d7078bc3f9eba8fbd0b1dc415d90
SHA256c0865d3e444a293484343c1d0a95b1790a57c5478c471adec29117a9ee140f47
SHA5128e70b0e3bc7aa5bf71beff2f007809e85b6a21e85d5284abe62dabecd32bc45eb12068199c5d7e1381f6b25eac08ec20635bf2f37d9f25dba807e8c102aeccad
-
Filesize
112KB
MD55df3b7a6b6f83861d41c847037c93118
SHA159705676710abefebec2bb6871a17ff05cf6702a
SHA256411c8491eb1920e10e2c82d42144b69936a68d7e855b9bd81b70972ffac329f3
SHA51282dec648b4b8e7e58e98c8516428cedd6fba7b779a265982e1ed5edd172cdae3c908887cfa23132ffe4c1d9ea1a3dd805f7a3183a06000752f0263fefee725fe
-
Filesize
309KB
MD567a0b01c451056770898457eea2aad4e
SHA1bbd62df0c276e335f241327283319406bca76165
SHA2567263dbaee78e58c52bcecfb8575b56d3b8419b8ff840a5321c28ef8f05277ecb
SHA51209a8ea990e42739bf777510efea580571156a613b1ab2e9b61e0c9831c366deede54e1edb37dae0d92960a9cec2629fec00d8387510f627ac4b799d4023be606
-
Filesize
439KB
MD545699880ea5657b5b059421ebcfe1e9b
SHA1483336527eb55fd6ec4799c0aa6ee64680546684
SHA25661dae9e0810490e1e40571f47143b000b99199828f9282f672bbce72c4e35a91
SHA512de291d917b2e66c3773c62df03631f7db6574cf1d0ab439484296a77c904bdff2e5a55636155667e144857a5be705c0c63910bfb35a7344c5842179fd4ab5190
-
Filesize
404KB
MD59b4553d9f3cfe7b996599a4d1e3266c4
SHA1f3e4fed90f1d3839ca356103e23eb134cc44aae0
SHA256d228107a2ea127e6c5a941c7e95018de142481a38def891b4670d831f4fcde28
SHA5126d97b15fc6be882b07c48bab71ef0333cd1e1dac85155de4cf8d85facd70be76fd8009c3b4737b56ef52bacebc4642ca16fb91a6df9a2fad9aa9ea660f5b43ce
-
Filesize
8KB
MD567ebc1d5e2bab0c2d85406eb19cc85dd
SHA1a6bae9685e79c77e7a9908ce053fe498fb2a6be3
SHA2568eddab93591333f7e58e5d4e5597c12fbe220095b4ecfc6e4a5a591a464e7ac8
SHA5126690ed68852272826d09544ea4716120fc117a560ce66a67e012f49a72e04706fc24129b10651404ba3f3cd118b74eeb1123a655856ab17bbaa4b2f585f47600
-
Filesize
436KB
MD574137d804726fedc903657e6865b7d54
SHA1270316a43a5e4c2f725c3fd33acd8e762ce4d825
SHA2563c1a632eed70e14225c2e96516f6d9201fd5da06a9fc8688a2aeb68e2ca09bef
SHA512cf636a274fe8eb62345cfaf98038367be4a4111b8a9891abd90cc5b4c2e3889e650481639de9f11b3affe3db117b014876c7c5026989d592b4f8a8c0227c66bf
-
Filesize
888KB
MD5eac0e672b5bd7ccbe55f8d38ab868453
SHA179e433f17b9e0662d36198887f370bee62559e47
SHA256a5cb81fb252798c4090f46ffb040b223cd9dbf7b666c6979f7646869d1edf34c
SHA512587ff1522b22eb12b32aa76bbe2746cc2c1b5651f812b8af60f1a089411987f95849c2e4e0061ba98c1c191bdbc1b41f7b89f4fb7406c2e20a01d2b7ace21c5b