Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe
-
Size
438KB
-
MD5
2317f826534fde1723fecdc925185f8e
-
SHA1
9eb2d5f2005b15db9b357c13ad3b8d14b0bfe400
-
SHA256
810c5c9481ac4aeb7cb339188894964a79b652ad603d34a55e81598d62ad8e45
-
SHA512
ab3770052ec3328664148aa1c3ddb2ae637b89b7b9f987a158dd4d6190d4d8c2801e5e1d329419400fbed28a63e14e473f9a36d69b09ddca80795708543649af
-
SSDEEP
6144:cRRJnML+pdyFnKZ9fF/d5RsggXeNHmyLSpoLVDijud98gWNlPTGQQm6agrds:cLpA+pMFnKJ/5rgXMbSgGjukNtTirds
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1140 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 Hacker.com.cn.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Hacker.com.cn.exe 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe File created C:\Windows\uninstal.bat 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe File created C:\Windows\Hacker.com.cn.exe 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe Token: SeDebugPrivilege 2548 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2548 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2936 2548 Hacker.com.cn.exe 29 PID 2548 wrote to memory of 2936 2548 Hacker.com.cn.exe 29 PID 2548 wrote to memory of 2936 2548 Hacker.com.cn.exe 29 PID 2548 wrote to memory of 2936 2548 Hacker.com.cn.exe 29 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30 PID 1956 wrote to memory of 1140 1956 2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2317f826534fde1723fecdc925185f8e_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:1140
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD52317f826534fde1723fecdc925185f8e
SHA19eb2d5f2005b15db9b357c13ad3b8d14b0bfe400
SHA256810c5c9481ac4aeb7cb339188894964a79b652ad603d34a55e81598d62ad8e45
SHA512ab3770052ec3328664148aa1c3ddb2ae637b89b7b9f987a158dd4d6190d4d8c2801e5e1d329419400fbed28a63e14e473f9a36d69b09ddca80795708543649af
-
Filesize
218B
MD5f85552b6c595282d26e3e22fb636ef17
SHA1db51dd2834f93c2ee184a6a46d9d477153a72f3d
SHA2562780d6f373656f3c3ba801964da89f480e726436e642942b311c44a641040eef
SHA5125b459f9bef98b6740806021c9373cb2a54eb8c835a08ccfa826dded3b3f14d9623e527bea3c03e1d17453c03c9a48ab5212de304ae27d5dc0ad5a78c7818afd1