Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe
-
Size
174KB
-
MD5
420973540d2d7fbde1d20890815eb81b
-
SHA1
b39b10aa5800dd4ecb3f33855e48a38c8c5f0b93
-
SHA256
01db040f498ed0b4b3df6337f1dd5ff472876bd70a72f96543966302ee97bfb8
-
SHA512
7c6a5ba161ef4b3df885baed7cfd89fe39c9cd7be64f09241864603970b68983f314b25ebc06db78e6d0e6d62fd2ff85f43deabda952334c19d19a9a6bf80af0
-
SSDEEP
3072:scDV6Az1lWgFvYGnJd6KpZV3uTN9WU/G9B32w590Kqm/32nzNvI+x/tW:NQAKgFvYGJd6KpZV3uTN9WU/G9BGw59d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 CryptedFile.exe -
Loads dropped DLL 3 IoCs
pid Process 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2648 2728 WerFault.exe 31 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2728 2924 420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2728 2924 420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2728 2924 420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2728 2924 420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe 31 PID 2728 wrote to memory of 2648 2728 CryptedFile.exe 32 PID 2728 wrote to memory of 2648 2728 CryptedFile.exe 32 PID 2728 wrote to memory of 2648 2728 CryptedFile.exe 32 PID 2728 wrote to memory of 2648 2728 CryptedFile.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\420973540d2d7fbde1d20890815eb81b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 363⤵
- Loads dropped DLL
- Program crash
PID:2648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5c74e581603935190248b357711862d72
SHA168e52d3c68c2903b6391646e230948d14d012471
SHA256d75800dad7f80def296ea8416c8a8902c38ab61472c5a9ccdfd9eed85448c4dc
SHA512fc882c1392341cab3146e94eba92438799a6b604590fe0f2f9db84e7662ecec0e5bc4c6375d8ae6cbceff5257c3f9f74244f131f8dfa31d71871c7202798d519