Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 12:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
0873415c13efe3098d38e128edbb2380
-
SHA1
f71b7ee73104510957a11f33d3b26a343f1d3671
-
SHA256
66e26a3260b49cec2892d09e839a6f8349eb667de5580a62f433c55f93661812
-
SHA512
3aa62d80cdacab68ce972c28d092b16e88868c666cf411941cc7124dfc0eca259bad83ce82d01ed6425cedf6a75afe3cfd7494ab48e43fce6b771ef9b09f84c6
-
SSDEEP
6144:nLJ2B4cK3zh5Bopbk7tlIntCN9Giu/qqdM4zjvzf1DvF6TZd8HjL8RJW7GG2JI:LJihK3zOxgtq+mq74zj2wX8WGG2q
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2160 WinSys32.exe 2828 WinSys32.exe 2432 WinSys32.exe 1496 WinSys32.exe 2768 WinSys32.exe 352 WinSys32.exe 2152 WinSys32.exe 1592 WinSys32.exe 1952 WinSys32.exe 576 WinSys32.exe -
Loads dropped DLL 20 IoCs
pid Process 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 2160 WinSys32.exe 2160 WinSys32.exe 2828 WinSys32.exe 2828 WinSys32.exe 2432 WinSys32.exe 2432 WinSys32.exe 1496 WinSys32.exe 1496 WinSys32.exe 2768 WinSys32.exe 2768 WinSys32.exe 352 WinSys32.exe 352 WinSys32.exe 2152 WinSys32.exe 2152 WinSys32.exe 1592 WinSys32.exe 1592 WinSys32.exe 1952 WinSys32.exe 1952 WinSys32.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File opened for modification C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe File created C:\Windows\SysWOW64\WinSys32.exe WinSys32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2160 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2160 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2160 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2160 1968 0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe 28 PID 2160 wrote to memory of 2828 2160 WinSys32.exe 29 PID 2160 wrote to memory of 2828 2160 WinSys32.exe 29 PID 2160 wrote to memory of 2828 2160 WinSys32.exe 29 PID 2160 wrote to memory of 2828 2160 WinSys32.exe 29 PID 2828 wrote to memory of 2432 2828 WinSys32.exe 30 PID 2828 wrote to memory of 2432 2828 WinSys32.exe 30 PID 2828 wrote to memory of 2432 2828 WinSys32.exe 30 PID 2828 wrote to memory of 2432 2828 WinSys32.exe 30 PID 2432 wrote to memory of 1496 2432 WinSys32.exe 33 PID 2432 wrote to memory of 1496 2432 WinSys32.exe 33 PID 2432 wrote to memory of 1496 2432 WinSys32.exe 33 PID 2432 wrote to memory of 1496 2432 WinSys32.exe 33 PID 1496 wrote to memory of 2768 1496 WinSys32.exe 34 PID 1496 wrote to memory of 2768 1496 WinSys32.exe 34 PID 1496 wrote to memory of 2768 1496 WinSys32.exe 34 PID 1496 wrote to memory of 2768 1496 WinSys32.exe 34 PID 2768 wrote to memory of 352 2768 WinSys32.exe 35 PID 2768 wrote to memory of 352 2768 WinSys32.exe 35 PID 2768 wrote to memory of 352 2768 WinSys32.exe 35 PID 2768 wrote to memory of 352 2768 WinSys32.exe 35 PID 352 wrote to memory of 2152 352 WinSys32.exe 36 PID 352 wrote to memory of 2152 352 WinSys32.exe 36 PID 352 wrote to memory of 2152 352 WinSys32.exe 36 PID 352 wrote to memory of 2152 352 WinSys32.exe 36 PID 2152 wrote to memory of 1592 2152 WinSys32.exe 37 PID 2152 wrote to memory of 1592 2152 WinSys32.exe 37 PID 2152 wrote to memory of 1592 2152 WinSys32.exe 37 PID 2152 wrote to memory of 1592 2152 WinSys32.exe 37 PID 1592 wrote to memory of 1952 1592 WinSys32.exe 38 PID 1592 wrote to memory of 1952 1592 WinSys32.exe 38 PID 1592 wrote to memory of 1952 1592 WinSys32.exe 38 PID 1592 wrote to memory of 1952 1592 WinSys32.exe 38 PID 1952 wrote to memory of 576 1952 WinSys32.exe 39 PID 1952 wrote to memory of 576 1952 WinSys32.exe 39 PID 1952 wrote to memory of 576 1952 WinSys32.exe 39 PID 1952 wrote to memory of 576 1952 WinSys32.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 536 "C:\Users\Admin\AppData\Local\Temp\0873415c13efe3098d38e128edbb2380_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 532 "C:\Windows\SysWOW64\WinSys32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 552 "C:\Windows\SysWOW64\WinSys32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 524 "C:\Windows\SysWOW64\WinSys32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 556 "C:\Windows\SysWOW64\WinSys32.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 528 "C:\Windows\SysWOW64\WinSys32.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 564 "C:\Windows\SysWOW64\WinSys32.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 540 "C:\Windows\SysWOW64\WinSys32.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 568 "C:\Windows\SysWOW64\WinSys32.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\WinSys32.exeC:\Windows\system32\WinSys32.exe 580 "C:\Windows\SysWOW64\WinSys32.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD50873415c13efe3098d38e128edbb2380
SHA1f71b7ee73104510957a11f33d3b26a343f1d3671
SHA25666e26a3260b49cec2892d09e839a6f8349eb667de5580a62f433c55f93661812
SHA5123aa62d80cdacab68ce972c28d092b16e88868c666cf411941cc7124dfc0eca259bad83ce82d01ed6425cedf6a75afe3cfd7494ab48e43fce6b771ef9b09f84c6