Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 07:09
Static task
static1
Behavioral task
behavioral1
Sample
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
-
Size
772KB
-
MD5
071c23ae75e84b754dcd5b6e22056d28
-
SHA1
ee3579b279cd3b6f5f555188e70c9fb459b4a958
-
SHA256
27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb
-
SHA512
0e020fd7440646e5ec5ce738fe54dcf4c15427181b98e18a1e603b4f5099201286fba264d8a3de566661a7f54be50a2b958db9cd5f3d207d1ac0c598679cbf95
-
SSDEEP
24576:eCxkZmvVi0FRAHgbGQjwZegfrxQU3SjZ6GPrb:eCx7V3FO9tOCSjZ6UX
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe msmh.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe msmh.exe -
Executes dropped EXE 4 IoCs
pid Process 3064 msmh.exe 3068 msmh.exe 1720 emailextractor.exe 2744 INS2868.tmp -
Loads dropped DLL 10 IoCs
pid Process 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 3064 msmh.exe 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 1720 emailextractor.exe 1720 emailextractor.exe 1720 emailextractor.exe 1720 emailextractor.exe 1720 emailextractor.exe -
resource yara_rule behavioral1/files/0x000b000000014284-3.dat upx behavioral1/memory/2944-5-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral1/memory/3064-16-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral1/memory/3064-33-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral1/memory/3068-38-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\gbd5.tst msmh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2944 wrote to memory of 3064 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 28 PID 2944 wrote to memory of 3064 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 28 PID 2944 wrote to memory of 3064 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 28 PID 2944 wrote to memory of 3064 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 28 PID 3064 wrote to memory of 3068 3064 msmh.exe 29 PID 3064 wrote to memory of 3068 3064 msmh.exe 29 PID 3064 wrote to memory of 3068 3064 msmh.exe 29 PID 3064 wrote to memory of 3068 3064 msmh.exe 29 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 2944 wrote to memory of 1720 2944 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 30 PID 3068 wrote to memory of 2632 3068 msmh.exe 31 PID 3068 wrote to memory of 2632 3068 msmh.exe 31 PID 3068 wrote to memory of 2632 3068 msmh.exe 31 PID 3068 wrote to memory of 2632 3068 msmh.exe 31 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33 PID 1720 wrote to memory of 2744 1720 emailextractor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\msmh.exe"C:\Users\Admin\AppData\Local\Temp\msmh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\msmh.exeC:\Users\Admin\AppData\Local\Temp\msmh.exe b3⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\msmh.exe"4⤵PID:2632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\INS2868.tmpC:\Users\Admin\AppData\Local\Temp\INS2868.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\emailextractor.exe 695216 698160 599043⤵
- Executes dropped EXE
PID:2744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686KB
MD54b1d8cc66e1242f635630004b24485b5
SHA163983c61258d46f04c41eb50d9b033127df9eb29
SHA25613159e26ef2c6c3ff1ed05bdd9c9fbfd7f22eb9dc4ee0c5c187b4769468355c0
SHA512d24a7727fec154832230c549cd2eaddada3961eb86718b3870591d6bc2d26c8f687132f715065e0f793221999484e571b5e0d3b27937a6f1918a6775cf23fb02
-
Filesize
309KB
MD5428e857334568f7c6b3d81470eafa938
SHA1e255c1c5c9386cca77ffc19a32485777e63c1757
SHA256995a9d2fb234c2832f21bebd28bbf02f7400d46e188433ab105d2963b5fdd3d7
SHA51258c9f45eee12060f33500aabaeb919784445322bb7fbfce4909de035932fc4afde6f9506cc6154eb4362d022dde24af66368aab18297759bdb0077e5b2b47db0
-
Filesize
73KB
MD55290ea3a0b7371d6efcaf605111f5325
SHA189c1876e9d515c6be25e1dc80b5a577c883e3459
SHA256d0009dbcb51202b589b359903f1181c2ca00f5d475dfc7e8af69904cc09360b3
SHA5128d3a839ee106c4ac786a373b27e97665b180c75ff3bd5f3372f4f2fc0ad49b0a8b50d806a36d402282b4b523992fc6b9cb1eefea6fc24ac0b5d090286b0320d1