Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
-
Size
356KB
-
MD5
1ac1e3a0c3a89b9b68edd643cbd31c84
-
SHA1
1cf6e58fdbe469fd407c609b1d8fb937dc19beb7
-
SHA256
465df717a695839c99130b55a93d42a45c1c9102d9c31d6268635e188246c11c
-
SHA512
55132fe4f5c2461a7e23917553d41ba43e999506109aaab2e9633f3b843f8b21a320354262a24a2cb47c99038a36863d26c45e6d8382d5fca625a4f7027f18e5
-
SSDEEP
6144:kYfr7UVj6F1KvDTFISAW1RJd0WvDQFY3/T9tofBTaEmHjKZHSwFj+jo:VsW3KvDTDf0SMFYPZufBTzIjy5+jo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1656 aaa.exe -
Loads dropped DLL 3 IoCs
pid Process 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 1656 aaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1656 aaa.exe 1656 aaa.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 2424 wrote to memory of 1656 2424 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 28 PID 1656 wrote to memory of 1192 1656 aaa.exe 21 PID 1656 wrote to memory of 1192 1656 aaa.exe 21 PID 1656 wrote to memory of 1192 1656 aaa.exe 21 PID 1656 wrote to memory of 1192 1656 aaa.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD577e68babe788ba43cd5183f018a475b9
SHA162ddae924e02c6f58b48afd4537b89fb4ef23927
SHA25687d409caf5d3f8981a4ae7e927525b70a7d97d168cba16bdf38baaf76b6e24f8
SHA5124336f228422768d954d1391cf560e0ff1156b71decff7ed2501690fa8dc4ca4d32d7c2bbe4c4050d6ddcc9bed55895a0aa1bc0a430003a1a4743b53866ed9fb3