Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 21:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3ac80ff075325879d39098766427d623_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3ac80ff075325879d39098766427d623_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3ac80ff075325879d39098766427d623_JaffaCakes118.exe
-
Size
48KB
-
MD5
3ac80ff075325879d39098766427d623
-
SHA1
52df3ecab8c407f1e7b90a7070224fefe6679e91
-
SHA256
0a6b0930b3b54f5cd5e640e259f27f3feb089785619e1b2ec9abeb1c2ce0834d
-
SHA512
f7ac8f9ce751d9df8ffa3a9e947d04ae15be71808cf902715f90267f80a3908c5ca0dcaff0a9254ed14775a2447800adffe22080d04827e57c997050012abc9e
-
SSDEEP
1536:nxQP4OUMAFlmsDZVn5Yxbz+YRYOzyuqout:xQP4OUMYlmsDrajtlq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2104 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID 3ac80ff075325879d39098766427d623_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl 3ac80ff075325879d39098766427d623_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID\ = "{F00E59F9-65EA-4BAC-AD14-FAFEE832151B}" 3ac80ff075325879d39098766427d623_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2496 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2496 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2496 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2496 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2104 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 33 PID 1680 wrote to memory of 2104 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 33 PID 1680 wrote to memory of 2104 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 33 PID 1680 wrote to memory of 2104 1680 3ac80ff075325879d39098766427d623_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac80ff075325879d39098766427d623_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ac80ff075325879d39098766427d623_JaffaCakes118.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\ctfmon.exectfmon.exe2⤵PID:2496
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xzbA48A.cmd" "2⤵
- Deletes itself
PID:2104
-
Network
- No results found
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD541586b9563545710b49f9a30c737108a
SHA1c19c5ceb70a54cff7d956a94f03f1d020a53ee3e
SHA25627cce3544e2a105c519d6c8affceea69bbdf93e24dcee6b81cf11f53ddb23275
SHA512aade9b4034af0524e8dca9321f386c7ddf81d67f0f6e1379cef7ae0238aa890c8b6892507ded3d81c83f048397fbb48af116909bd880dae2fa13ec818b185e2d