Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
-
Size
20KB
-
MD5
0e164845833decea7bcf5ea7ff3f68de
-
SHA1
84cde72064677e0e76eba4ee3e040244b1197cd9
-
SHA256
3ddcdf2d0e1afa87ca2b55d96775691cd33a31bd84543ee1081488bd7f99eed9
-
SHA512
1befd80db6ecd968b84cdef3a6f919ae79a2209da8c3a6bfa6a2f0bb939871b7695cce2af3023c9445aab071ca372631255a0da13ec654c61234b282a5f995a4
-
SSDEEP
384:PU398UjtZC+tBagAlugVRyuOS3E8/kWzfzwdH2zS7EY6U0Qtd:q91vMlugVTBESTzwozkEY6U5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1920 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2848 Sysmsge.exe -
Loads dropped DLL 3 IoCs
pid Process 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 2848 Sysmsge.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysmon.dll 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sysmsge.exe 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 2848 Sysmsge.exe 2848 Sysmsge.exe 2848 Sysmsge.exe 2848 Sysmsge.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2848 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2848 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2848 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 28 PID 2380 wrote to memory of 2848 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 28 PID 2380 wrote to memory of 1920 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 29 PID 2380 wrote to memory of 1920 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 29 PID 2380 wrote to memory of 1920 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 29 PID 2380 wrote to memory of 1920 2380 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Sysmsge.exe"C:\Windows\system32\Sysmsge.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0E1648~1.EXE > nul2⤵
- Deletes itself
PID:1920
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5a454d8e984fa9dee17d92b7cd0ddc557
SHA11a0836cd4538bcaae05968430c9a401b07b8ad7e
SHA25615f83d14eaa7ffeedf1d251f7e84c2668245278f71d4a3deab5a16afb43a7731
SHA51227d62aff81f6159b466a9dbd31bfae8cceb00d1d540a1340fe2bed73d2c2bf62dc354a17fe876c615ebf8cb953ef212a0186299cf38d0c6cdc1d58951c55f41f
-
Filesize
20KB
MD507bc73c1bd4b6658cef9130603b62569
SHA179270b1d53542a33da395b5c91d8850ae7c99928
SHA25688005a77b27e7a685381adca91b577e5678f40dfdce66c45cb1a8b5ba2068e56
SHA51256c12c1a3c51f673bd9785cd0e667aa6316043d9ebfcf7b760f6b82b538219a796a82f2aa57f74075410e33618d88bb5bc8144e0a743de03324e14ee3e6f467b