Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe
-
Size
373KB
-
MD5
0fd05301d4b87cc8eae4cc8ffd8d15e3
-
SHA1
0cbec9b4144130e9f465b7a07264d5c1f302d746
-
SHA256
fbda5336296fffe1cf43187446f42172ab2b85b3902d114e85b3899a113b53c4
-
SHA512
3e0713e3529ffb0db12c71d13c6edc0da7b2085ccfcda56bb1ad41410ea709d9339a867be13449519a2974290bbe0b713eca0c773119fb68977feb38a18b9749
-
SSDEEP
6144:s7Rnj2nSMWVxhTFZOvTxMTD95co+l8R4Lp0c6PF9vNAX6hYXpWfuhs:WnaWH92vTWXo0c8ZGXwypWfue
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" aNwyrSsfMqehVVISiA1j.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" aNwyrSsfMqehVVISiA1j.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" aNwyrSsfMqehVVISiA1j.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\jokcpm\Parameters\ServiceDll = "%SystemRoot%\\System32\\jokcpm.dll" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1960 aNwyrSsfMqehVVISiA1j.exe 2524 Z4wy2ZyrMJfQflIPpSF8.exe -
Loads dropped DLL 2 IoCs
pid Process 1960 aNwyrSsfMqehVVISiA1j.exe 2564 svchost.exe -
resource yara_rule behavioral1/files/0x0035000000015609-15.dat upx behavioral1/memory/2524-17-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2524-23-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\jokcpm.dll aNwyrSsfMqehVVISiA1j.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\aNwyrSsfMqehVVISiA1j.exe 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe File created C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2524 Z4wy2ZyrMJfQflIPpSF8.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2524 Z4wy2ZyrMJfQflIPpSF8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 2524 Z4wy2ZyrMJfQflIPpSF8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2140 wrote to memory of 1960 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 29 PID 2140 wrote to memory of 1960 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 29 PID 2140 wrote to memory of 1960 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 29 PID 2140 wrote to memory of 1960 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 29 PID 2140 wrote to memory of 2524 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 30 PID 2140 wrote to memory of 2524 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 30 PID 2140 wrote to memory of 2524 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 30 PID 2140 wrote to memory of 2524 2140 0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fd05301d4b87cc8eae4cc8ffd8d15e3_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\aNwyrSsfMqehVVISiA1j.exe"C:\Windows\aNwyrSsfMqehVVISiA1j.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960
-
-
C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe"C:\Windows\Z4wy2ZyrMJfQflIPpSF8.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k jokcpm1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD53fc4d8faa7e83d5a1c70cfcd764c736c
SHA1de4cef272a231271c088dd7faace32c0ad05d978
SHA256e0c8388f1a2521389bd7db5a672f603eee7027ded0d576b10808b99bcb1112e9
SHA512943adad8e4d7717455a73e420777760c7796fff3c9b65a81f17f5f9421dfbb95203d34fbf57a7ed3d01a1f1d3e3d48e3865702e98708975eb1f6124f70e3a7b0
-
Filesize
51KB
MD517fa82152d9d45f7be6023fe443d82b3
SHA1923894133badbba384014b7b4ef7c2481d4df6d5
SHA2560fa0aa37e710fb9d106f34bcf07c0d636aea0c7dd59b81693e6aa185e0604700
SHA512b8ca7a3aeb0ec2cfd421adf6e84c545e5db5c0df52436cb57e14851a4d033121197465ccaeff78d12540170407697695c9a6a470e99da088e7fa8375db9bb8c5
-
Filesize
76KB
MD5c5c4522abdc1cbba6ae6a81a1f7a6912
SHA122d0452fa0ac9cdb14e981d8c1425305237c7709
SHA256264bdf205174754a78a7033fbfef8612366ba6fd995f980c926aeb83b4db97a8
SHA512f29edffb897c53ec7b53a63f8eb32d2b1e2931a21cc254937ed775dfccf28522023d8acecc39fdf3b4c3c34f174131a2c3640c3dfc403d51540128fe71942eab