Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 06:06
Behavioral task
behavioral1
Sample
0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe
-
Size
784KB
-
MD5
0cf301e08a46a20874dc09d4e02ef0dc
-
SHA1
de8883d5c51ef7437dbb6721e0b82bc55ea86257
-
SHA256
30f55f9f823222f0b119a8249b452e2f22c8f3da96d8e0bd80af31e1eb25d828
-
SHA512
572e286cf49348fd4eaee6c25fc70c1c4ec575c2309792ddcb8859659a5dc59640a3392fc5961b035d882455450cfd6d8ec8a043f705593f2c16df26f6a12f1f
-
SSDEEP
12288:B7AWQCTJVy/ZnLzr8A778nsrzTu7FBNmsNj/G1fR5Hvea5Y6UsSRjAUQ2Bt:6WQuQZnLsAEnsrzTuL3je1fRBh+8M
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2404-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2404-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1396-18-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1396-33-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/1396-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1396-23-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1396-32-0x0000000003120000-0x00000000032B3000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 1396 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1396 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2404-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000a00000001229f-15.dat upx behavioral1/memory/1396-16-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe 1396 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1396 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe 29 PID 2404 wrote to memory of 1396 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe 29 PID 2404 wrote to memory of 1396 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe 29 PID 2404 wrote to memory of 1396 2404 0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0cf301e08a46a20874dc09d4e02ef0dc_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1396
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5303101dee767dd8b6cc4c28f8e3799e3
SHA1585ea65ee6a569f68c7ab3830c0d718ab6487398
SHA25682f817eca00319a8524979f030e52f9fb23aaa68c66d23018844ebdea069e155
SHA512126b847565b20239a77a66f06334bf3929896d383d1ec55d28e49edba759ad2bf4322d24256fcdcdaaa550d46e4bab565387347241d3d88ed7077edf6ff0d9b4