Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
1902d2fb07fd303208824e070a491a14
-
SHA1
c8d4f562bb1441188a33401c736e95c87d9fae8f
-
SHA256
05d4d6d0f15dec78b1b4a418b8081b720245dd92f09fb32f4f69c6af9d39a8df
-
SHA512
0a21e11de4c87b814f8817338c272ca33b51c7d9472d6bf849a9dec423eb4738eb2fd26c59f918e72f898d71c5c7383e8829391dcd2931f511e0cb16ed64200b
-
SSDEEP
24576:w/Af7uuZB2MiMKLv7kLxOPdERHrqPiBfhcvLMc2h:w4CuZhiv6gP8H+4c2h
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2600 defender.exe -
Loads dropped DLL 2 IoCs
pid Process 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2600-20-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/2600-22-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral1/memory/2600-25-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral1/memory/2600-24-0x0000000000400000-0x00000000011C1000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: defender.exe File opened (read-only) \??\P: defender.exe File opened (read-only) \??\U: defender.exe File opened (read-only) \??\Y: defender.exe File opened (read-only) \??\Z: defender.exe File opened (read-only) \??\L: defender.exe File opened (read-only) \??\M: defender.exe File opened (read-only) \??\K: defender.exe File opened (read-only) \??\N: defender.exe File opened (read-only) \??\S: defender.exe File opened (read-only) \??\E: defender.exe File opened (read-only) \??\G: defender.exe File opened (read-only) \??\Q: defender.exe File opened (read-only) \??\R: defender.exe File opened (read-only) \??\H: defender.exe File opened (read-only) \??\I: defender.exe File opened (read-only) \??\V: defender.exe File opened (read-only) \??\W: defender.exe File opened (read-only) \??\X: defender.exe File opened (read-only) \??\J: defender.exe File opened (read-only) \??\T: defender.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2600 defender.exe 2600 defender.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2600 defender.exe 2600 defender.exe 2600 defender.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2600 defender.exe 2600 defender.exe 2600 defender.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2600 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 28 PID 2436 wrote to memory of 2600 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 28 PID 2436 wrote to memory of 2600 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 28 PID 2436 wrote to memory of 2600 2436 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
928KB
MD5aa22e20b540eb40879f1749c3c36ee0f
SHA120aecb3226fc7dc485e86364b79b6fd4fc32b6a8
SHA256c50aad64113a8b46b780ed4c8b10ead9eee0fbf7bb76caa6f8de3ca9cda6f389
SHA512a53c9864f096b742556cd54c5f8f4824054f8139ee9e63d0b7b0afce612e9548da742eed355adfc27a6419912fa0e3e34297a395810d899fd5a398a7348f965c