Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
-
Size
292KB
-
MD5
31ffdcf9db6f4adb0a48751fab8b30b4
-
SHA1
d350e6998ee8b9f35f4b46a38dfe3553cb722e2c
-
SHA256
3c4e582214f06af76d67619585bc68331f8d55c77c74b66445e66865f020249f
-
SHA512
ad25fc9d0d49cb024c657ad300e447ac3f76703e715fb6f1ff573abe22c7cea64dc20f0d50b67ce899f9c20ce8db88ddd3028e74320b61c51d56a7843739e03b
-
SSDEEP
6144:ryH7xOc6H5c6HcT66vlmuJCoDgGDpPsr6h5jUJea:rac3sk6vgz
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2096 svchost.exe 2396 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 2548 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2096 svchost.exe -
Drops file in Program Files directory 44 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2396 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 2396 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 2396 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 2396 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1412 wrote to memory of 2096 1412 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 30 PID 1412 wrote to memory of 2096 1412 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 30 PID 1412 wrote to memory of 2096 1412 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 30 PID 1412 wrote to memory of 2096 1412 31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2396 2096 svchost.exe 31 PID 2096 wrote to memory of 2396 2096 svchost.exe 31 PID 2096 wrote to memory of 2396 2096 svchost.exe 31 PID 2096 wrote to memory of 2396 2096 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD5d9eefeba4a66c6fd2b615a2eb3b3f939
SHA110684d83a67662798f95b0f883546d16a4b411dc
SHA256fc55c2467a983bfcaafea3a9bc74259c8fcb82761b064925263013c33ca61124
SHA5124b76110cff62d0c240484cfd57ecdaf75b29e9b7bbc506167ea40b3aab34ea022f5443ba4fc44e474ff61d2f6b3e8cb53ff3ff575e5b10fa49e1480861bf07a5
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b