Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 05:18
Static task
static1
Behavioral task
behavioral1
Sample
14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe
-
Size
64KB
-
MD5
14ce222f58a5252d8a8edcc01f7cf9d7
-
SHA1
5d1d4a7f3b0e1a0041b193e562f78cf9eb467d27
-
SHA256
102dfd59166c4c43e467ce0641f1d3046dc353d195c08d964cad84b1b2ba67e9
-
SHA512
195ae14ce40677ea8fc57361067aa8797a7c3736017661b23d9348e0c2f19d96668922336130d9cf454883e9356819975933d854b5df8c945f9fb948b16fb2e0
-
SSDEEP
768:A/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLCl:ARsvcdcQjosnvnZ6LQ1Ee
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2172 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe 2172 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2172 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe 28 PID 2344 wrote to memory of 2172 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe 28 PID 2344 wrote to memory of 2172 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe 28 PID 2344 wrote to memory of 2172 2344 14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14ce222f58a5252d8a8edcc01f7cf9d7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5dfc1200ccc8a533d91aebe392da364a0
SHA104e635a7c9c8b6921b15fd335f1676445081946b
SHA256ce90cae3b4ed993c01c7be164f5983fa77f34ceecdd068c59e14c18daf1b2d4b
SHA512fbfcce40511d604b7d24cf903387491a86769adee989f0e9c3a7fb724e6bb6f0b4fc2d7f1b7092843c75057f51760dc4e6283e707466a3b9003bfed3044002ed