Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
-
Size
149KB
-
MD5
427d98ce83712423dd5f06af0ef50b1c
-
SHA1
c2fd6446feb577bd8ee2d463f09bcb3455fea73d
-
SHA256
922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925
-
SHA512
9feac20193dd044712b5d837e372e284cea9a065ce427413a5fae89050fa3897ea1cff3a196aa6e96eb6d23e5dd4588b8756b9c82d17a816af4babc5c083bd86
-
SSDEEP
3072:WwvyIUMmPhjAXRE0Ck3fGgOABWToz/n71dBoTlROl5KI1EGZqO:4MmPhjKRPGOlf1o3Cp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2148 unself.exe -
Loads dropped DLL 7 IoCs
pid Process 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 2324 WerFault.exe 2324 WerFault.exe 2324 WerFault.exe 2324 WerFault.exe 2324 WerFault.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\lpk.dll unself.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2324 2148 WerFault.exe 30 -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 284 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 284 WINWORD.EXE 284 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2148 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2148 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2148 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2148 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 30 PID 2148 wrote to memory of 2324 2148 unself.exe 31 PID 2148 wrote to memory of 2324 2148 unself.exe 31 PID 2148 wrote to memory of 2324 2148 unself.exe 31 PID 2148 wrote to memory of 2324 2148 unself.exe 31 PID 2544 wrote to memory of 284 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 32 PID 2544 wrote to memory of 284 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 32 PID 2544 wrote to memory of 284 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 32 PID 2544 wrote to memory of 284 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 32 PID 2544 wrote to memory of 2764 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2764 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2764 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 33 PID 2544 wrote to memory of 2764 2544 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 33 PID 284 wrote to memory of 2648 284 WINWORD.EXE 35 PID 284 wrote to memory of 2648 284 WINWORD.EXE 35 PID 284 wrote to memory of 2648 284 WINWORD.EXE 35 PID 284 wrote to memory of 2648 284 WINWORD.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\unself.exeC:\Users\Admin\AppData\Local\Temp\unself.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 683⤵
- Loads dropped DLL
- Program crash
PID:2324
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\招標項目.doc"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\427D98~1.EXE > nul2⤵PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD56c77f20529a7bb180a5005421f422952
SHA11b43ae9ff2861721ccb726786c363b24634ca429
SHA25631ef3fcfa28d0f5cb10d468b58755b24078448ac5c0ff93a8ab09b20527a7bfc
SHA5123d397b442bc1887053e9779acc9f477917e8c9e39c6e022deba36da422a6cab9bc3070cadb65a3c34434d4b32729e5b23f837552b61ad9f71047475f44dc8041
-
Filesize
19KB
MD57574b7fdd4d5bc68a46c7aec2c64b78b
SHA13bee93d044bef2a4ed8a4fcf3860204c5f0f2102
SHA25619c9d492ee15622064427a00088c845322099ffe93f0b7b62b5e0447538d6f82
SHA512479f52523c2a4aeb7d5511f4c29c04f7f950d11fb5e1555d6b82b8c96d056e67ddb3ce093ff40236a769104ec4c114e60ec74f62791e574bb163041bbb044ef4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
88KB
MD5de84a438ef886bb834923b4e21dc1236
SHA1d6652d76167118b616f36ef41fe9a1d03c468bed
SHA256e537a97377d368fca1d9c2431f38d3c227d06a6a588fc0ea0d4ee47ab53162ce
SHA512fa3e3b42bdb58f2922567fac2aa99652c6e94539839ab58d522f8ff5080ced3d380017493637d4a041185b778e48549c8182ba5bc00e2b49d5269f219eaa5e90