Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07/07/2024, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
29a079948174116c25df96b80238c07f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
29a079948174116c25df96b80238c07f_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
29a079948174116c25df96b80238c07f_JaffaCakes118.exe
-
Size
151KB
-
MD5
29a079948174116c25df96b80238c07f
-
SHA1
5e50326fa7e6ff9650971052adb8124eae0c621d
-
SHA256
992ba58cf87b4b307362ff41b64fc8f99c5186079f88ee5daf5b999f693af2db
-
SHA512
2dcdb67881f7ec9ae55631eabfc3385b3eaf9eeaf842565ce66feb56ca2bd3e125b97b74941b4d784e4a1c2216878a1b191c66fa64fd2a623c632259d973ee75
-
SSDEEP
3072:OfPyc9y35l5cFtSkkT53t+ImJvBKiuDTcZXah0YMq5kSs:O3V9y3/ctSkkTR7mzoWXYrC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1652 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\freecpa.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\freecpa.dll regsvr32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\OYA.bat 29a079948174116c25df96b80238c07f_JaffaCakes118.exe File created C:\Windows\IAI.bat 29a079948174116c25df96b80238c07f_JaffaCakes118.exe File created C:\Windows\VUX.dll 29a079948174116c25df96b80238c07f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1560 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1560 regsvr32.exe Token: SeDebugPrivilege 1560 regsvr32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 2420 wrote to memory of 1560 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 30 PID 1560 wrote to memory of 1204 1560 regsvr32.exe 21 PID 2420 wrote to memory of 1652 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 31 PID 2420 wrote to memory of 1652 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 31 PID 2420 wrote to memory of 1652 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 31 PID 2420 wrote to memory of 1652 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2232 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2232 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2232 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2232 2420 29a079948174116c25df96b80238c07f_JaffaCakes118.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29a079948174116c25df96b80238c07f_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Windows\VUX.dll3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\OYA.bat" C:\Users\Admin\AppData\Local\Temp\29A079~1.EXE"3⤵
- Deletes itself
PID:1652
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\IAI.bat" C:\Windows\VUX.dll"3⤵PID:2232
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5bd8acf285d4f871236e232fccfb16d38
SHA1271c40bdb1a4e92278756911016a0ad7b17b6914
SHA256b7b5ba6b72dc5e61ce416bd8a78ec3965bbcee380ac6e05ae95eca15ce2dafd7
SHA512349c7c0dbf2ddb920a6cf4ee510ffb05a382a10d5dfbd47a0aade44e2c8f30e94ebc11b06e6b56c08b661448087e2d4b4e699b7ce922a8344181f11d4cfe5fc1
-
Filesize
132KB
MD5a8e72bd0dc3ed31386071b9ec11c6ab7
SHA15b4e351310d2aa2b92ae15c6dce666efaac0b4a9
SHA2566112c4f46405cd336e93b148e33dfbda6eb0d9f3c32a63c8f727a6b48e2332c1
SHA5129f2ffcce239cee78694ef6a4f774fcdecb038ac87dad54ca3a7eb31dc062a988498201ec3aac0e5cb159324962750e67c0296ec10a35a84923e2130aee22e1f5