Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
-
Size
998KB
-
MD5
3c772ce76fc4bcac93a4fd74f03e1587
-
SHA1
b266bf7adbd60b8bb95a8fea26855c1682786164
-
SHA256
5a207869e0f7fa20eccbc95fb3f711a8cb6a31a72e5843310a7dc831314bdc94
-
SHA512
77c77298a668c7e8b6fb701b2a0d5f2a5a9cf3675a15feb0a46f76bcab882002bac63246b1b0e7b0f00b268bb6378885086ca73908a0e5d568ac2f66267348c3
-
SSDEEP
24576:txj7xTcX2LSlwthsobVC/5imoDe5l6uiEkLJvurXPIt+1KNI4sQ/:reXyPthzbkomQylDMLczwt+A64sM
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Fonts xcopy.exe File created C:\Windows\Fonts\Calibri.ttf xcopy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2616 regedit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2316 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2316 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2316 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 31 PID 1648 wrote to memory of 2316 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 31 PID 2316 wrote to memory of 2320 2316 cmd.exe 33 PID 2316 wrote to memory of 2320 2316 cmd.exe 33 PID 2316 wrote to memory of 2320 2316 cmd.exe 33 PID 2316 wrote to memory of 2320 2316 cmd.exe 33 PID 1648 wrote to memory of 2616 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2616 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2616 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 34 PID 1648 wrote to memory of 2616 1648 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c xcopy Fonts "C:\Windows\Fonts" /e /i /y2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\xcopy.exexcopy Fonts "C:\Windows\Fonts" /e /i /y3⤵
- Drops file in Windows directory
- Enumerates system info in registry
PID:2320
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s Fonts.reg2⤵
- Runs .reg file with regedit
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948B
MD50798c369716d601f7f61aad56708bb69
SHA1fd944cf9fa5132d4216469d3487a9626b0c329f3
SHA256642f6b40b3b1ecb79ab1894d3fd3bc7638a9fbec332c2bf9f4144187968b963a
SHA51271db8de5e38c837d776860a4db9a75a1835d48cf0bcfb4007852623b4a6dd34bff7599086146ad7352b5610cd1e18f8b1d2c604125b90ebf304112c66b0cbcdb
-
Filesize
238KB
MD5d5630a8814488c1800727da51c00c256
SHA18c9298c19cd369087a95c27cf716d27e474f2ece
SHA2566615eaeb730311e6f997e34e1e560fae6629be9f47e92929d13d96108e58fa43
SHA5125f08970f024bb7a9e4500a64cb122301df1940e48b1e727be693423ca78cb116636eb374fcfce45b631cf6c24ef868633e703d3fed4d51c1092dc0363a197577