Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
-
Size
743KB
-
MD5
26f97eb79f7217579fcef497133a5178
-
SHA1
8544305857d33d6b88502dc0a527a21dc4175f25
-
SHA256
e56da3f5db3bafec7d4b26ee19bcfcc8b1f5e01155b35ced32373fea7bf0e3fd
-
SHA512
fe7d45088c03e6b38dd32b2052cca24d5165f765f1089094203588612af254431246be483ed2b71cb3326882b036343a5dfc880c51f578c60ecfaef97fe5be1f
-
SSDEEP
12288:T/5pooFT7xMgKvLvruqQ5+uWXdyFlQh9FRvJQSVc0xK7gTENepZP:Txm+xMRvLvXduVI/T0gTvp
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2556 tmp.exe 2616 R_Server.exe -
Loads dropped DLL 4 IoCs
pid Process 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe 2556 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2616 R_Server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2556 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 31 PID 1660 wrote to memory of 2556 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 31 PID 1660 wrote to memory of 2556 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 31 PID 1660 wrote to memory of 2556 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 31 PID 1660 wrote to memory of 2616 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 32 PID 1660 wrote to memory of 2616 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 32 PID 1660 wrote to memory of 2616 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 32 PID 1660 wrote to memory of 2616 1660 26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2556
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe" -NetStat2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30.7MB
MD5f5bf22328235e4750c4bde9b3640c47c
SHA16e422a1cfd392b56d85e163a9be8467d75927f62
SHA256862b11c9c7d75929c755ac2904c325f25ac315c1da0855384110493f2e2e5ccf
SHA51231bc05640a3c32e94888fdc862041b5d7bb59a07f5e78cd4f0fb9f3da27e4a7ee1e70802ef71ff031d63242467e7f55483b97235f0225651c64838fec3da6241
-
Filesize
30.0MB
MD561910644e9560ebea70adc93af6c7f9e
SHA1e110bafedefb8db4b092349c5412367fe3669422
SHA2560145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853
SHA512fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488