Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
2332223da5df70d3aca429110788a845_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2332223da5df70d3aca429110788a845_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2332223da5df70d3aca429110788a845_JaffaCakes118.exe
-
Size
710KB
-
MD5
2332223da5df70d3aca429110788a845
-
SHA1
bc4209d87e86d075b0b924028d2c11f9a76dc5ef
-
SHA256
6fa28dee8ab219054d3fd6bb80c3cb720c705498e49eac98eecc3c41405cc3ea
-
SHA512
b01d72c81f61cb2c17583d5af4d60479f6cdf5f27e9aec6ad3f2f44038c7aea487bd4b4b502379a2069b94152b11e055a4340a7ae6bd7811d301996a9c3f2294
-
SSDEEP
12288:za3XiuigTQYphbR3ndDGpJJpVAGOJXkUo+bJtWXghaPo1XE/YaFBatBbqfnQes:zanHn8qh9MpRVKJXkU9bDNbwgBenO
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2060 svchost.exe 1808 2332223da5df70d3aca429110788a845_JaffaCakes118.exe 2096 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2060 svchost.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 2332223da5df70d3aca429110788a845_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2060 1748 2332223da5df70d3aca429110788a845_JaffaCakes118.exe 28 PID 1748 wrote to memory of 2060 1748 2332223da5df70d3aca429110788a845_JaffaCakes118.exe 28 PID 1748 wrote to memory of 2060 1748 2332223da5df70d3aca429110788a845_JaffaCakes118.exe 28 PID 1748 wrote to memory of 2060 1748 2332223da5df70d3aca429110788a845_JaffaCakes118.exe 28 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29 PID 2060 wrote to memory of 1808 2060 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2332223da5df70d3aca429110788a845_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2332223da5df70d3aca429110788a845_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2332223da5df70d3aca429110788a845_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\2332223da5df70d3aca429110788a845_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2332223da5df70d3aca429110788a845_JaffaCakes118.exe"3⤵
- Executes dropped EXE
PID:1808
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD58ad0c91179cc96cf5c96007f46717eb7
SHA1367a87ac57ddc558ca35f9161e3c13ae4971d658
SHA256528cd37789ed96d2c2a5008db280a769ea6a72afe15a322039cc444203c60084
SHA51249802da8f61dacb8d9c20d3f4f6a81e8d35b3cc0365a83b8f8bfc753a50459e70da86b61a21308715d0e552cdc6d97f4b9e7fc6bc8c5b5210ced74d6b995ad82
-
Filesize
675KB
MD5d6089e10f30111c4c14af916edfe648f
SHA164d89a3fc3fbb8daeaf20eb0455b49ddcac094e5
SHA256c88dc3a5952723397224814eaef3a8a4603034ddc21269dfe6d0d9be016dff8b
SHA5121fde6b4aa4f054809da51f28d9b1d42b791703b47212d1a499322e66960deb114dd487b373d8150720543581bb281c287ea51d3549753eb3aa6ab8f88bcedd33