Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$TEMP/Ff8wfHZYn0.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$TEMP/Ff8wfHZYn0.dll
Resource
win10v2004-20240709-en
General
-
Target
445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
-
Size
108KB
-
MD5
445e8d5e7bc9e7d73b1189c2567ebd41
-
SHA1
3dd1b3fd60befc25cc6358c4bacfb9aaadb1a6a6
-
SHA256
79cf60976b460063d4eb8f7e83039aebf18dba16c50a787d191e72ecfefbddfe
-
SHA512
8e4c292cfe20bee8e842a5d00985800773a546171c321d8c06ac9b6740a14ca08dc6a1a6540d65bd17fc17be2bf7a2babe00a07a4cf7e684970c15dffc1662a9
-
SSDEEP
3072:IgXdZt9P6D3XJbCifHK1tjsITcqbfH7TtEz:Ie344ifHK1JxcEH7G
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 2796 rundll32.exe 8 2796 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2256 PING.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2796 rundll32.exe 2796 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2484 wrote to memory of 2796 2484 445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe 30 PID 2796 wrote to memory of 1424 2796 rundll32.exe 33 PID 2796 wrote to memory of 1424 2796 rundll32.exe 33 PID 2796 wrote to memory of 1424 2796 rundll32.exe 33 PID 2796 wrote to memory of 1424 2796 rundll32.exe 33 PID 1424 wrote to memory of 2256 1424 cmd.exe 35 PID 1424 wrote to memory of 2256 1424 cmd.exe 35 PID 1424 wrote to memory of 2256 1424 cmd.exe 35 PID 1424 wrote to memory of 2256 1424 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll",Install C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn02⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll" >> nul3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\PING.EXEping -n 6 127.0.0.14⤵
- Runs ping.exe
PID:2256
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024B
MD56499956889099f048bd8394fc3cca7ca
SHA122c48f326d2eae410239e4a08582b1830cbf3181
SHA256f121459547bd348063dac8ed5424e97bad30b880d5499edd66fb8af26022f921
SHA512f3ee3e9c72de3b0563ae7817b451e4bbd1a517a51a2de9c61279e4145524397555b235c217e8512121ec7d7e075544aad970c3d8a3fb610b70e045c8664c33ec
-
Filesize
89KB
MD57a06cb307f802c120609c0b3c1e963a9
SHA12bda4b275422ea6138b12efaeefcb9e279f1de95
SHA256292340cb04147497e7828986c55765e24bc863ab8e3066b317d78032beab984a
SHA512a38c7cfb714859ddca000390bae3c4dc5a4cf88db2e974168bf1270b0740568630ce2afd63cb6b663c7df9296a97d2c0dbc0968b2eaaab74487cd179876752a6