Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 17:44
Static task
static1
Behavioral task
behavioral1
Sample
16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe
-
Size
169KB
-
MD5
16ea7aa887731711eaa9b1a5ea16cbcd
-
SHA1
5cd80bde8b1ebb7799a2391d69ac7b77fa986e51
-
SHA256
1a3c06fc73d6797ef88e7a71b9541515564a7ee9e041b6b949e838eab5e160aa
-
SHA512
2bea59055a67b20784f3d80fc419563704d445b9693482c335b0660cdbde6326e23e55a5f050af3153bb41dae49111af13ff52024168f275e9ba29fc00a9b4fe
-
SSDEEP
3072:jDhGp7Uo0+yDugLH//07iDKHIHmRNABHYGqGIw2soU+GRNx2N2ydV51rS4y:wBczDud7SKHIGfABRqpp3U+as2ID
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1732 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2604 qonythwml.exe -
Loads dropped DLL 7 IoCs
pid Process 1732 cmd.exe 1732 cmd.exe 2604 qonythwml.exe 2604 qonythwml.exe 1344 WerFault.exe 1344 WerFault.exe 1344 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2324 1504 WerFault.exe 27 1344 2604 WerFault.exe 34 -
Kills process with taskkill 1 IoCs
pid Process 1284 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2580 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1284 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2604 qonythwml.exe 2604 qonythwml.exe 2604 qonythwml.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2604 qonythwml.exe 2604 qonythwml.exe 2604 qonythwml.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1732 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 28 PID 1504 wrote to memory of 1732 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 28 PID 1504 wrote to memory of 1732 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 28 PID 1504 wrote to memory of 1732 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 28 PID 1504 wrote to memory of 2324 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 30 PID 1504 wrote to memory of 2324 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 30 PID 1504 wrote to memory of 2324 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 30 PID 1504 wrote to memory of 2324 1504 16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe 30 PID 1732 wrote to memory of 1284 1732 cmd.exe 31 PID 1732 wrote to memory of 1284 1732 cmd.exe 31 PID 1732 wrote to memory of 1284 1732 cmd.exe 31 PID 1732 wrote to memory of 1284 1732 cmd.exe 31 PID 1732 wrote to memory of 2580 1732 cmd.exe 33 PID 1732 wrote to memory of 2580 1732 cmd.exe 33 PID 1732 wrote to memory of 2580 1732 cmd.exe 33 PID 1732 wrote to memory of 2580 1732 cmd.exe 33 PID 1732 wrote to memory of 2604 1732 cmd.exe 34 PID 1732 wrote to memory of 2604 1732 cmd.exe 34 PID 1732 wrote to memory of 2604 1732 cmd.exe 34 PID 1732 wrote to memory of 2604 1732 cmd.exe 34 PID 2604 wrote to memory of 1344 2604 qonythwml.exe 37 PID 2604 wrote to memory of 1344 2604 qonythwml.exe 37 PID 2604 wrote to memory of 1344 2604 qonythwml.exe 37 PID 2604 wrote to memory of 1344 2604 qonythwml.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1504 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\16ea7aa887731711eaa9b1a5ea16cbcd_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\QONYTH~1.EXE -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 15043⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2580
-
-
C:\Users\Admin\AppData\Local\qonythwml.exeC:\Users\Admin\AppData\Local\QONYTH~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 5244⤵
- Loads dropped DLL
- Program crash
PID:1344
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 4802⤵
- Program crash
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD516ea7aa887731711eaa9b1a5ea16cbcd
SHA15cd80bde8b1ebb7799a2391d69ac7b77fa986e51
SHA2561a3c06fc73d6797ef88e7a71b9541515564a7ee9e041b6b949e838eab5e160aa
SHA5122bea59055a67b20784f3d80fc419563704d445b9693482c335b0660cdbde6326e23e55a5f050af3153bb41dae49111af13ff52024168f275e9ba29fc00a9b4fe