Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 11:27
Static task
static1
Behavioral task
behavioral1
Sample
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe
-
Size
76KB
-
MD5
459cde6e25bcf5afff6bdf88d66c02ed
-
SHA1
775ed249c0b94f397551b347ea3c3bf681e918f9
-
SHA256
492509f3d645e20877a1b69551d25ce99004e857857f836f11d5d7669740c03c
-
SHA512
9e108ae11af75cf43278320d4f768e2ef5ba9320c785b3d3597ff4280d695363c46440b9aec35a6145d72cb4cd22a69416de9c76eb01a274a0cbb91c57e086a3
-
SSDEEP
1536:swpW9UaDLSvuQUE6UdYwiSSgOkflWWZNp3+aq7z:VW9UaDuvlwU2KSgrcW3rq7z
Malware Config
Signatures
-
Kills process with taskkill 1 IoCs
pid Process 620 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 620 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2984 wrote to memory of 112 2984 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 31 PID 2984 wrote to memory of 112 2984 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 31 PID 2984 wrote to memory of 112 2984 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 31 PID 2984 wrote to memory of 112 2984 459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe 31 PID 112 wrote to memory of 620 112 cmd.exe 33 PID 112 wrote to memory of 620 112 cmd.exe 33 PID 112 wrote to memory of 620 112 cmd.exe 33 PID 112 wrote to memory of 620 112 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt13285.bat "C:\Users\Admin\AppData\Local\Temp\459cde6e25bcf5afff6bdf88d66c02ed_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im reseau.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476B
MD58673d3d51593a4995652e962a67d58a4
SHA1697177b467677b549b8b1bb1578db8100e8e6c40
SHA2567b89a4b26ae938579df6deb3ee647da318ebc9a22d1bcc80a8a01a6ccb9cced1
SHA5125b551feb018181d506dde50ebc638ea569a6d4135ddfdbd133f173f7ca3e99126c5e84c7050ac99279e986a716c46f2ddbed4565dce6757a66b2cd4570d0e27a