Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
342321b1065f87917827380efe8ad094_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
342321b1065f87917827380efe8ad094_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
342321b1065f87917827380efe8ad094_JaffaCakes118.exe
-
Size
303KB
-
MD5
342321b1065f87917827380efe8ad094
-
SHA1
43fc49d5741cad3c614babb0ef705906435dfdd9
-
SHA256
b35693cc33425fd215c0ccb37102525976cab2701a90dfd8b68a707aa220e1b8
-
SHA512
1d3fef881e215090de8f47c5a6acfee197ce832d9e3bf642f97157f39c98b2c2860fe92fe7f161bcdb5f9ecd6b563d0a5b6e2566ac34aea2258b3765a6d142b5
-
SSDEEP
6144:7aFbxM0wB442mNFzpKbkYAs/Cnem80uZd:7N/lpzssB8Rd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2040 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2464 yrasys.exe -
Loads dropped DLL 1 IoCs
pid Process 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ojkiv\\yrasys.exe" yrasys.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2336 set thread context of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy 342321b1065f87917827380efe8ad094_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 342321b1065f87917827380efe8ad094_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe 2464 yrasys.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 2464 yrasys.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2464 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2464 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2464 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 30 PID 2336 wrote to memory of 2464 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 30 PID 2464 wrote to memory of 1096 2464 yrasys.exe 19 PID 2464 wrote to memory of 1096 2464 yrasys.exe 19 PID 2464 wrote to memory of 1096 2464 yrasys.exe 19 PID 2464 wrote to memory of 1096 2464 yrasys.exe 19 PID 2464 wrote to memory of 1096 2464 yrasys.exe 19 PID 2464 wrote to memory of 1168 2464 yrasys.exe 20 PID 2464 wrote to memory of 1168 2464 yrasys.exe 20 PID 2464 wrote to memory of 1168 2464 yrasys.exe 20 PID 2464 wrote to memory of 1168 2464 yrasys.exe 20 PID 2464 wrote to memory of 1168 2464 yrasys.exe 20 PID 2464 wrote to memory of 1204 2464 yrasys.exe 21 PID 2464 wrote to memory of 1204 2464 yrasys.exe 21 PID 2464 wrote to memory of 1204 2464 yrasys.exe 21 PID 2464 wrote to memory of 1204 2464 yrasys.exe 21 PID 2464 wrote to memory of 1204 2464 yrasys.exe 21 PID 2464 wrote to memory of 2044 2464 yrasys.exe 23 PID 2464 wrote to memory of 2044 2464 yrasys.exe 23 PID 2464 wrote to memory of 2044 2464 yrasys.exe 23 PID 2464 wrote to memory of 2044 2464 yrasys.exe 23 PID 2464 wrote to memory of 2044 2464 yrasys.exe 23 PID 2464 wrote to memory of 2336 2464 yrasys.exe 29 PID 2464 wrote to memory of 2336 2464 yrasys.exe 29 PID 2464 wrote to memory of 2336 2464 yrasys.exe 29 PID 2464 wrote to memory of 2336 2464 yrasys.exe 29 PID 2464 wrote to memory of 2336 2464 yrasys.exe 29 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31 PID 2336 wrote to memory of 2040 2336 342321b1065f87917827380efe8ad094_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\342321b1065f87917827380efe8ad094_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\342321b1065f87917827380efe8ad094_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Roaming\Ojkiv\yrasys.exe"C:\Users\Admin\AppData\Roaming\Ojkiv\yrasys.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2464
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc57f9031.bat"3⤵
- Deletes itself
PID:2040
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD5895580b42836c372044d0a16a8c04466
SHA11f9669ad3b8d89efe0efcd699db2b2f622df40af
SHA256dd9d0804854df4539ad0415e82e5a8c54b7d5f4dbd37561c0dfc0df788eb3bb4
SHA51201c0a435f8c2f17b2fa353284f96db242cac38c72cc639baf04b96e1389bb5727150697156502735977e426545da44035fa713a7ad36ecb7e84e7580836bf200
-
Filesize
303KB
MD595cb2406af03afe8aadf73e3520e9801
SHA1c196640517523aeb2230975b9b66a95a47ce232a
SHA256526a17459620e8214e73fab5fe09c8790b16887e8dfd0a9a883ae08f7cf1ade7
SHA512f0254d29f4b8f94c456126407ad365d03970b57f166e1c388d851e7ecc0534376c66d91850bc884ac39c588f0fc09e278d677ab555bd25bfff0191456168ad20