Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 23:15
Static task
static1
Behavioral task
behavioral1
Sample
4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe
-
Size
328KB
-
MD5
4733fbbe363526c1bf02bb7c731c3ebf
-
SHA1
927048ddd04484d0ca8dba3d32b159c4de64c6f7
-
SHA256
bc565b1b5e09c201e9b92341cc73da4771c4f7cb127cf094b98d1ae5554cf2a8
-
SHA512
2cfdeb0d6b28a32f07bf8666d444debc3b23b23591c534f78f4398d8732d505955c6b4c6aaae0c7043bc0c89764edec274418614144395d3526018918daa05d2
-
SSDEEP
6144:mwtV9F2idZecnl20lHRxp3gQqjHOyfR1yOxPGzjjTrwv54Zda5l3NAEIlKGOu7:mwbHF3Z4mxxf4HOcZ9GD6gajN9OD7
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\svchost.exe 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\svchost.exe 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2820 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\update.bak 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeRestorePrivilege 2328 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2820 2328 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2820 2328 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2820 2328 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe 30 PID 2328 wrote to memory of 2820 2328 4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4733fbbe363526c1bf02bb7c731c3ebf_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat2⤵
- Deletes itself
PID:2820
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5942b91b1fcd89c804116bc39665c5b45
SHA14c285c4154a2fc425410e0cdfa9a4e99c438b7a4
SHA25675e0ab74331471ed57e2072b71fa9c322a70155ed05ba9586603720826e860fa
SHA5123b4c37620457fd2646be0676692ac3042d84320d024e91327a3ef7ad3d11e0cf803078db0967266fc60ccbf30b7ce310a45538826ae2e6f596f4aad703647e7d