Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 15:14
Static task
static1
Behavioral task
behavioral1
Sample
42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe
-
Size
125KB
-
MD5
42379e70bb511d7659943faaa3d84e1c
-
SHA1
e885091986a50c70e2d6179c3ecddaca1ac1d425
-
SHA256
15e582c0960adb412c05316336dab08438bf563391e64f636945aa8849251da9
-
SHA512
dc6ab52e3b85f1cd2a0404984b0775a9647dec61e9a37e8ecbcde177f8b0542633e4c9958c077fd98184e82d75163b87be0edc6762d7ee72b82da5ff53a36042
-
SSDEEP
3072:EJgwBIxhn+dz7diTqkGqcZBUPs7dHNnu3lAzyDJkluJfBd8W:EuwWx8fScnUPey1BtB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2780 Okohua.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\18RH6WMFH2 = "C:\\Windows\\Okohua.exe" Okohua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe File created C:\Windows\Okohua.exe 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe File opened for modification C:\Windows\Okohua.exe 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main Okohua.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International Okohua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe 2780 Okohua.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 Okohua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2780 2676 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe 30 PID 2676 wrote to memory of 2780 2676 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe 30 PID 2676 wrote to memory of 2780 2676 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe 30 PID 2676 wrote to memory of 2780 2676 42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42379e70bb511d7659943faaa3d84e1c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Okohua.exeC:\Windows\Okohua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD542379e70bb511d7659943faaa3d84e1c
SHA1e885091986a50c70e2d6179c3ecddaca1ac1d425
SHA25615e582c0960adb412c05316336dab08438bf563391e64f636945aa8849251da9
SHA512dc6ab52e3b85f1cd2a0404984b0775a9647dec61e9a37e8ecbcde177f8b0542633e4c9958c077fd98184e82d75163b87be0edc6762d7ee72b82da5ff53a36042
-
Filesize
372B
MD5c6bfe4970d1571459a6d16d3eaa6cbdb
SHA1a880bfbae3f4057073ccbf94e19d47c63895b094
SHA256cceb7071810ff9821e7870542a0757a3c2e8e590d99bd0fb67998e43bbe85c1a
SHA5120dedb66822dffa711e0c521769f8dcebbd0c1971aa81fe8db00ac77e67e8d7a8c50ca971e601ba6a470ae8fffcc3206d8a00eec105fa355599f78ea0ef198437