Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 11:47
Static task
static1
Behavioral task
behavioral1
Sample
0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe
-
Size
164KB
-
MD5
0df3318d819d9ad6ebd2a967f1e98813
-
SHA1
5072f8aed37a42d820ba58472dfc48ba02dad908
-
SHA256
286c8d67eac594e9b15b554607c9c8a9a3c72cc99c0d7a62e15b74c9ec5a3253
-
SHA512
2a1366573abcea264470ef34a1c38319db5d65d9260943751943571bd18ba84fc6768d9453b37be8aed843039ff5fff8f365b7fa9fe425d45051207668e3a501
-
SSDEEP
3072:h8JoE0ABLF7U9/IjKZcg3T4pxyLaQFiAXCgRdAesXGDQghH/cE:UiWFGcg6AiIRuBXAf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\956CA\\FEB07.exe" 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2220-3-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2220-2-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/3008-14-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/3008-15-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2220-17-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2756-136-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2756-135-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2756-138-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2220-139-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2220-251-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2220-302-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 3008 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 28 PID 2220 wrote to memory of 3008 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 28 PID 2220 wrote to memory of 3008 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 28 PID 2220 wrote to memory of 3008 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 28 PID 2220 wrote to memory of 2756 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2756 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2756 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2756 2220 0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe startC:\Program Files (x86)\LP\07B9\C21.exe%C:\Program Files (x86)\LP\07B92⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0df3318d819d9ad6ebd2a967f1e98813_JaffaCakes118.exe startC:\Program Files (x86)\CA4E5\lvvm.exe%C:\Program Files (x86)\CA4E52⤵PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD526d24fb5cbded556ccdfe377d4b46754
SHA1ee4fe81c5a62e9a5af71fb4fc0a816ce1050d523
SHA256f904cc7c71d18182a66ebfb5e0f7a80d49d263e71c6dfbdd973fdbf63bb1ed61
SHA512f98185e8675d2570941d539e9bc656a102eddc9847d99a1ee354605711ca0b5bb49d453db335b6bde837cbc80228760af8214b97d8dec0b9439c8003e089cf55
-
Filesize
600B
MD533c90a26f5aa16229561706fed173672
SHA1b77b30d6e2875df6314324c6d09ed9c882768b12
SHA256dee2b92159806ac8e3d534c9d9f81076ddcd282f44e68cd071a2707e2aaf3820
SHA5125274fa97a0fd1ac206f3db3678339bceebc38849468dad41e5ed758fd49143def32cf857e0b69d3f5438f3086ec3bddabbb662cf02e0f4807311e72787768a5b
-
Filesize
1KB
MD5c0fb9c208e6c8cff8addb694faaa102b
SHA1448a9ed7a99c8479a81e5bd3c57dcc06c8343960
SHA25614f88feb09d625f7f6cb1f074015cd30ca5e0611a95fe34280760adf52956c47
SHA5128079b474064b21f230f4d5e3f408d0aa388ca52ec385f1878d4ea3889733fa2cfd90216d7f6b2e25df2676cd82ee6fc51eba428b7019fbee190bdecd5a0187dc