Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
-
Size
607KB
-
MD5
289bdd184a7dbd1f02f3b35de92d8c04
-
SHA1
7cc34e320093129287d05a4cf33f41c1d5683c02
-
SHA256
5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f
-
SHA512
c77c5b91fb6d20ee8b04c0206ea3450b05c40e0865a746ac9dd557f771451a66eca0b66e066880718daa6c0ef36671c7057ac3f38cb91665b9cf321339f96c38
-
SSDEEP
12288:Iam7zyxnVVejG4q0lAGiqT/QK87nE8UKeA9N47oVMm:IamvyWKHGiqT/q7nEaeW27oVN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1656 svchost.exe 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 2536 svchost.exe 3004 Au_.exe -
Loads dropped DLL 5 IoCs
pid Process 1656 svchost.exe 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 3004 Au_.exe 3004 Au_.exe 3004 Au_.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000b000000018671-10.dat nsis_installer_1 behavioral1/files/0x000b000000018671-10.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 Au_.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1656 2552 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 30 PID 2552 wrote to memory of 1656 2552 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 30 PID 2552 wrote to memory of 1656 2552 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 30 PID 2552 wrote to memory of 1656 2552 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 30 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1656 wrote to memory of 1944 1656 svchost.exe 31 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33 PID 1944 wrote to memory of 3004 1944 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3004
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582B
MD5d26dcb6bfa4b4c31960d6eb17e6caaef
SHA180f8fa285214c2d635d0c57c8da0a1840c5170d6
SHA2560549599a12d292673d9101464428feba93ce4026423040d84a8be360f9b60734
SHA512acfb06b2fc6c8f65f657d7c03787aa9cc1e2686968908f63769cd08b0685013602d3d7d34e1c2a7d11cbddba77e011a2772391611838424bdc03b4f902eae5cb
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
571KB
MD50b0aa621e74bdd37d35f8f08a639bcb3
SHA1b83cf71fdc7823a22b08d3764f44bf8873946a63
SHA2568b1e4e6e9d5732fd1a0492808946debac7d46b545bf1b2640b64e0ff4e601f9c
SHA512a2ea86ee0c734ad9c5eb4e3289c7467f31b29289c8e7bb709a8aeac4737bed7d9eaa47c70f697d5c20f705afbabb7b22c1e8a1d8fa86ca835a30b6ea34b1b96d
-
Filesize
14KB
MD50dc0cc7a6d9db685bf05a7e5f3ea4781
SHA15d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA2568e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
17KB
MD509caf01bc8d88eeb733abc161acff659
SHA1b8c2126d641f88628c632dd2259686da3776a6da
SHA2563555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478
SHA512ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa