Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe
-
Size
67KB
-
MD5
0c3c8f8be75915b62546a16f8d080fdc
-
SHA1
8e5fc6de15a8428a4ff37d73827223527400301b
-
SHA256
47f3b4dac57ef21a84253ef888a836b5e5a126f3e1f33d40055a820adca4bf40
-
SHA512
4e74cac75b198360ef3656b6c5c906774e6de72d6fd4e9b52de88c767888fcd67aeec58d2e87279c31989f1765a60fa10208a6d6e009e1050023b4b4f8085dac
-
SSDEEP
768:Jc588yB1RnUHXYuyBpVRFOrqpp1l1jKdfeRw7C9pWQNScYFWobO93JupQesBBkl:Js4B1RpVRwrcl8dD5MnYTOFJxBG
Malware Config
Signatures
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1664 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1664 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1664 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 29 PID 2192 wrote to memory of 1664 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2572 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 31 PID 2192 wrote to memory of 2572 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 31 PID 2192 wrote to memory of 2572 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 31 PID 2192 wrote to memory of 2572 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 31 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33 PID 2572 wrote to memory of 2588 2572 net.exe 35 PID 2572 wrote to memory of 2588 2572 net.exe 35 PID 2572 wrote to memory of 2588 2572 net.exe 35 PID 2572 wrote to memory of 2588 2572 net.exe 35 PID 1664 wrote to memory of 2492 1664 net.exe 34 PID 1664 wrote to memory of 2492 1664 net.exe 34 PID 1664 wrote to memory of 2492 1664 net.exe 34 PID 1664 wrote to memory of 2492 1664 net.exe 34 PID 2192 wrote to memory of 2476 2192 0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop sharedaccess2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵PID:2588
-
-
-
C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c3c8f8be75915b62546a16f8d080fdc_JaffaCakes118.exe"2⤵PID:2476
-