Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe
-
Size
411KB
-
MD5
432e21215f94982e7585a95f5aa9c30d
-
SHA1
746b44612a503a14cc6407053b2652895965d2b4
-
SHA256
4654f3af174704f171088ad84b287e44795da6c53b91e2ffe6365a8adcda3182
-
SHA512
8dfb4d51d7587384ec021a6a5ba4939cf91b89229a9d42b1fde13bcbf24a87e4e8ddfaaefc701dbdac8b6f76d769a8300612d1ac3609dfd8eea5afcbe45f67ec
-
SSDEEP
12288:rGO5BvJnxdK0wRVrJH2WHwK9MKcerbndOU0DSxEagJ:XPJOpRph5HFZcCb02V2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2980 pzpB6C1.tmp 2928 HTTP.db -
Loads dropped DLL 2 IoCs
pid Process 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2928 set thread context of 2920 2928 HTTP.db 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\HTTP.db pzpB6C1.tmp File created C:\Program Files (x86)\Internet Explorer\HTTP.db pzpB6C1.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\uninstal.bat pzpB6C1.tmp -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2980 pzpB6C1.tmp Token: SeDebugPrivilege 2928 HTTP.db -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2980 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2980 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2980 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2980 2776 432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2980 wrote to memory of 2976 2980 pzpB6C1.tmp 33 PID 2928 wrote to memory of 2920 2928 HTTP.db 32 PID 2928 wrote to memory of 2920 2928 HTTP.db 32 PID 2928 wrote to memory of 2920 2928 HTTP.db 32 PID 2928 wrote to memory of 2920 2928 HTTP.db 32 PID 2928 wrote to memory of 2920 2928 HTTP.db 32 PID 2928 wrote to memory of 2920 2928 HTTP.db 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\432e21215f94982e7585a95f5aa9c30d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\pzpB6C1.tmp"C:\Users\Admin\AppData\Local\Temp\pzpB6C1.tmp"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:2976
-
-
-
C:\Program Files (x86)\Internet Explorer\HTTP.db"C:\Program Files (x86)\Internet Explorer\HTTP.db"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\WiNdOWs\SysWOW64\svCHost.exeC:\WiNdOWs\sYstEm32\svCHost.exe................2⤵PID:2920
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140B
MD50a10776f87677bbf7cda3234e29574cf
SHA158bf303968534696fa204f094d9e69520aefd96d
SHA256b849f5b4ef965ccf77a2fe94f1196f0362f6d2d5c66b4dd8232276ff04da57e6
SHA512c8258b4f427af33d6c55649da2da553e4c1213ef9945a2d54051e4c397d25bc31ac9288d609db3e2a6412ccd699319173a452dcf4bb48dbf83b62e399f8d8600
-
Filesize
743KB
MD519d99745166de14cf598192aa3beaee3
SHA1a1c46c0cfd35597a04dde3c192c290a4dfad1623
SHA2564102054a7ad1a02e489dec512838a469e0c584be9142f6d3a27fad6a7e6be728
SHA51264cf15025e66db4a98ec22e7660fa44580a48fcc12f436cca358e92a4fe76bf4a410f6acd16b2973aad1d96fc6ea8bf5aba7eb5ccf92be5d2eade8cf0468e122