Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe
-
Size
998KB
-
MD5
21ed24df3d75c79e02ac0bac6d417e12
-
SHA1
7001462efc1d8a4b2e24de6a857738e1c6782a7a
-
SHA256
06a0bf53f8b924771e94825d071994af5b726b6a75daee092b0fe7fb1c9f5906
-
SHA512
b09ac507bd7279b0735314dacb51a5d80463fc1141569498a03c370cdb722f2752b7a99255c1baf1844cf8dc86670c4180cf7d0ab21642e4c68f2a2895307017
-
SSDEEP
24576:BBXYfSfnaUKc/GFBRYyZa04vtL5U/JsIA2ztS:BBXWSfnaUK0GZZa0KcGO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2888 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2656 2222151.exe -
Loads dropped DLL 4 IoCs
pid Process 2888 cmd.exe 2888 cmd.exe 2656 2222151.exe 2656 2222151.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118 = "\"C:\\Users\\Admin\\AppData\\Local\\2222151.exe\" 0 47 " 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2222151 = "\"C:\\Users\\Admin\\AppData\\Local\\2222151.exe\" 0 21 " 2222151.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2124 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2656 2222151.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe 2656 2222151.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2888 1212 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe 28 PID 1212 wrote to memory of 2888 1212 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe 28 PID 1212 wrote to memory of 2888 1212 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe 28 PID 1212 wrote to memory of 2888 1212 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe 28 PID 2888 wrote to memory of 2124 2888 cmd.exe 30 PID 2888 wrote to memory of 2124 2888 cmd.exe 30 PID 2888 wrote to memory of 2124 2888 cmd.exe 30 PID 2888 wrote to memory of 2124 2888 cmd.exe 30 PID 2888 wrote to memory of 2656 2888 cmd.exe 31 PID 2888 wrote to memory of 2656 2888 cmd.exe 31 PID 2888 wrote to memory of 2656 2888 cmd.exe 31 PID 2888 wrote to memory of 2656 2888 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9631388.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 21ed24df3d75c79e02ac0bac6d417e12_JaffaCakes118 /f3⤵
- Modifies registry key
PID:2124
-
-
C:\Users\Admin\AppData\Local\2222151.exeC:\Users\Admin\AppData\Local\2222151.exe -i3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438B
MD52bba7d5d62905d1061cb522c6d1257c7
SHA106a8775a01107689a1ace609011ae4de36d74484
SHA256cc23841fa63b22750495afaed933c057edea068e873547f05e9f84719be9d752
SHA5120b15d3c7899a09b434d4fc7a4e7a723f062b98518493ebf9234330267c926c6ce36e02137ca836995c33995a42df5370717e88d07aaede28948c42ae71d3e675
-
Filesize
998KB
MD521ed24df3d75c79e02ac0bac6d417e12
SHA17001462efc1d8a4b2e24de6a857738e1c6782a7a
SHA25606a0bf53f8b924771e94825d071994af5b726b6a75daee092b0fe7fb1c9f5906
SHA512b09ac507bd7279b0735314dacb51a5d80463fc1141569498a03c370cdb722f2752b7a99255c1baf1844cf8dc86670c4180cf7d0ab21642e4c68f2a2895307017