Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
11/07/2024, 13:39
General
-
Target
395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe
-
Size
241KB
-
MD5
395a302982f864797b3b5f645b7c9217
-
SHA1
134a0b7847bd76bf4efef1db5f4d81979232ca56
-
SHA256
5bb64b7a6c64183fb40d05d03bf59de1fa3dd59683b95c67e935bbe84dc60c8f
-
SHA512
69fb0d567b8b492a8465916affdc5545f64618903cd23ccace8af7594d23c78079a01ae2d41f1469272acc475eeced580cfb6736e969d1ee0bc1d73241413a4c
-
SSDEEP
3072:jVQSWGAR5ndKwc5gbwiOW5evfFiC1WVhGx8f/AiyYvnSN3OmZLEojh9DD5x:PZARhwpWk3FCVnHAiyYvDmBFjP
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\395a302982f864797b3b5f645b7c9217_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Pixok\duyti.exe"C:\Users\Admin\AppData\Roaming\Pixok\duyti.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Pixok\duyti.exe"C:\Users\Admin\AppData\Roaming\Pixok\duyti.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp40536af5.bat"4⤵
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD504e084e9c9c7a2bf32615e318a4bfcc7
SHA1847a72c8809c1df78153b10627c98d2aeb61672c
SHA256aaec7aadb4588c144405ac66a61aaf385d90915b794b3a40e382c039f413449e
SHA512e71b099b9b8c918900b3195031ac89b0f76acf076394ccf6fd419f049319aa23592b0dac79ddd70c80287416bdebf9750c4221d02f0dbd9d47ccba79c384622a
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
4KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
236KB
-
Filesize
4KB