Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 00:25
Static task
static1
Behavioral task
behavioral1
Sample
3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe
-
Size
200KB
-
MD5
3700da46b72b0d70032dfc574c9340d3
-
SHA1
30fb310a0105aa2bf827c764fcbd7d6ff10a6f34
-
SHA256
15c349a8c9212df0993b43e14ea23230cac772ca9b7a10456d90d20358602229
-
SHA512
c80df7fc8e96cd02cf8cc819e7fd0d81975e2ca6a26b42b478126f9a179f48cbe30493d6fe0ae220d5fe7c86a7b19371e9ccd9741e7d0bad3b5fec170a9a0267
-
SSDEEP
6144:SoODFF3JH1ake3Nr/HXPm13QQiI2UOgoo730z8myhzUHqn:MSjr/PmeQiZgoo7E0eq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1300-1-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1300-3-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2560-6-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1300-14-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1484-80-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1300-81-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/1300-187-0x0000000000400000-0x000000000048C000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2560 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 30 PID 1300 wrote to memory of 2560 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 30 PID 1300 wrote to memory of 2560 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 30 PID 1300 wrote to memory of 2560 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 30 PID 1300 wrote to memory of 1484 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 33 PID 1300 wrote to memory of 1484 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 33 PID 1300 wrote to memory of 1484 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 33 PID 1300 wrote to memory of 1484 1300 3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3700da46b72b0d70032dfc574c9340d3_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:1484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD506808761b55dc9368948266797d2dd9d
SHA1816d01a992342828d550ffbbd929ef21b31facd0
SHA256ece2f8dc6f7e5d05a964575fb17c8f92c7ce26e0cfb53af343a19a5351263656
SHA51205e202a8a19a7e2dfef67893fd2b4f9d664657725950e26f5a6ec384c691f01c94fb04ba0bef7d019dd93fc314f77e17ace1d6d964f5fb69ac77034f0586cd02
-
Filesize
600B
MD56b042d3ca7a8a1487357e19a440b0ee4
SHA1cf8ed64bb9d7e5afb4349d999e382c64a6e39592
SHA256bba298003728af93b4b3c94e14112bc27ad812c58432bbd7fd4eedc454cea20f
SHA512aa381e26a2972045fab0777b6346803dd947ee5bc4e7e307f22e7339d11eeb831f19fb8fc27cc399baf5db6d0a1822bdf7da738a3984a13eef70e12989931bba