Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe
-
Size
327KB
-
MD5
2fc3938e7c3a626b209d0c859e4736f2
-
SHA1
8bcd45d85ed8ed2a105952f1677673e711adf63b
-
SHA256
68518254186ecfa86797c7ee18425cada7b24da2c03f029a04fecff55419c1ae
-
SHA512
998b88d5a53826d9841a3ab1845e47544acdd27595a388a4ef86bf0705a5d90cd98bbbd9c51c2001f40e1d834f2ed653e4f6d69b3eeb92f44182d91e9e23fa9d
-
SSDEEP
6144:g7QnQKYfebCvP87yYJKKgBlLxYFFCMoi2AyCfFQ:gyQLfebCvPcyhBtxY7Gi2Ay
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2596 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 bryjui.exe -
Loads dropped DLL 3 IoCs
pid Process 2596 cmd.exe 2596 cmd.exe 2008 bryjui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2624 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2644 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe 2008 bryjui.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2596 2820 2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2596 2820 2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2596 2820 2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2596 2820 2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe 30 PID 2596 wrote to memory of 2624 2596 cmd.exe 32 PID 2596 wrote to memory of 2624 2596 cmd.exe 32 PID 2596 wrote to memory of 2624 2596 cmd.exe 32 PID 2596 wrote to memory of 2624 2596 cmd.exe 32 PID 2596 wrote to memory of 2644 2596 cmd.exe 34 PID 2596 wrote to memory of 2644 2596 cmd.exe 34 PID 2596 wrote to memory of 2644 2596 cmd.exe 34 PID 2596 wrote to memory of 2644 2596 cmd.exe 34 PID 2596 wrote to memory of 2008 2596 cmd.exe 35 PID 2596 wrote to memory of 2008 2596 cmd.exe 35 PID 2596 wrote to memory of 2008 2596 cmd.exe 35 PID 2596 wrote to memory of 2008 2596 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2820 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2fc3938e7c3a626b209d0c859e4736f2_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\bryjui.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 28203⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2644
-
-
C:\Users\Admin\AppData\Local\bryjui.exeC:\Users\Admin\AppData\Local\bryjui.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD52fc3938e7c3a626b209d0c859e4736f2
SHA18bcd45d85ed8ed2a105952f1677673e711adf63b
SHA25668518254186ecfa86797c7ee18425cada7b24da2c03f029a04fecff55419c1ae
SHA512998b88d5a53826d9841a3ab1845e47544acdd27595a388a4ef86bf0705a5d90cd98bbbd9c51c2001f40e1d834f2ed653e4f6d69b3eeb92f44182d91e9e23fa9d