Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 08:28
Behavioral task
behavioral1
Sample
0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe
-
Size
50KB
-
MD5
0d60ecda4fca66f183ddce20fbfedde2
-
SHA1
16dafdd9a71dcd2a331888b6fdc41f23c798d974
-
SHA256
16375b5b8e038d7657846a156d484fe0e293182f7da59ccac5bef7b5772b514d
-
SHA512
64f852ebddaba49b863a1b9fc9293cab8d4d03153658e6d8060fbb507fc9e662efa65f86af331e40dfd9f7003344d1624ea1062dafb8c208ed20cb9d633b0734
-
SSDEEP
768:TT4wO+GkS0JARrVibDdPNfLxdGGh25gAfRVnhmKgI:tOxrVSfD259hmKV
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2904 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2888 WinHp3.exe -
Loads dropped DLL 2 IoCs
pid Process 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/3040-2-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x000b000000015d61-3.dat upx behavioral1/memory/3040-4-0x0000000000220000-0x000000000022E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHp3.exe 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinHp3.exe 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe File created C:\Windows\SysWOW64\WinHp3.exe WinHp3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2888 WinHp3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2888 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2888 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2888 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2888 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2904 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2904 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2904 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2904 3040 0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe 29 PID 2888 wrote to memory of 2520 2888 WinHp3.exe 30 PID 2888 wrote to memory of 2520 2888 WinHp3.exe 30 PID 2888 wrote to memory of 2520 2888 WinHp3.exe 30 PID 2888 wrote to memory of 2520 2888 WinHp3.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d60ecda4fca66f183ddce20fbfedde2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WinHp3.exe"C:\Windows\system32\WinHp3.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHp3.exe > nul3⤵PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\0D60EC~1.EXE > nul2⤵
- Deletes itself
PID:2904
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD50d60ecda4fca66f183ddce20fbfedde2
SHA116dafdd9a71dcd2a331888b6fdc41f23c798d974
SHA25616375b5b8e038d7657846a156d484fe0e293182f7da59ccac5bef7b5772b514d
SHA51264f852ebddaba49b863a1b9fc9293cab8d4d03153658e6d8060fbb507fc9e662efa65f86af331e40dfd9f7003344d1624ea1062dafb8c208ed20cb9d633b0734