Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
-
Size
120KB
-
MD5
46143d2dcb939fe3cce62ea2c8401aec
-
SHA1
6d9b033fc1571793a90f9e4d99305e3f137dd811
-
SHA256
c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
-
SHA512
00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560
-
SSDEEP
3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2784 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1484 snss.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\snss1.exe 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe File created C:\Windows\snss.lnk 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe File opened for modification C:\Windows\ff.bat 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe File created C:\Windows\snss.exe cmd.exe File opened for modification C:\Windows\snss.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2236 taskkill.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2960 PING.EXE 2724 PING.EXE 2580 PING.EXE 2708 PING.EXE 2776 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2236 taskkill.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2784 2312 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2784 2312 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2784 2312 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2784 2312 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 30 PID 2784 wrote to memory of 2776 2784 cmd.exe 32 PID 2784 wrote to memory of 2776 2784 cmd.exe 32 PID 2784 wrote to memory of 2776 2784 cmd.exe 32 PID 2784 wrote to memory of 2776 2784 cmd.exe 32 PID 2784 wrote to memory of 2960 2784 cmd.exe 33 PID 2784 wrote to memory of 2960 2784 cmd.exe 33 PID 2784 wrote to memory of 2960 2784 cmd.exe 33 PID 2784 wrote to memory of 2960 2784 cmd.exe 33 PID 2784 wrote to memory of 2724 2784 cmd.exe 34 PID 2784 wrote to memory of 2724 2784 cmd.exe 34 PID 2784 wrote to memory of 2724 2784 cmd.exe 34 PID 2784 wrote to memory of 2724 2784 cmd.exe 34 PID 2784 wrote to memory of 2580 2784 cmd.exe 35 PID 2784 wrote to memory of 2580 2784 cmd.exe 35 PID 2784 wrote to memory of 2580 2784 cmd.exe 35 PID 2784 wrote to memory of 2580 2784 cmd.exe 35 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2708 2784 cmd.exe 36 PID 2784 wrote to memory of 2236 2784 cmd.exe 37 PID 2784 wrote to memory of 2236 2784 cmd.exe 37 PID 2784 wrote to memory of 2236 2784 cmd.exe 37 PID 2784 wrote to memory of 2236 2784 cmd.exe 37 PID 2784 wrote to memory of 1484 2784 cmd.exe 39 PID 2784 wrote to memory of 1484 2784 cmd.exe 39 PID 2784 wrote to memory of 1484 2784 cmd.exe 39 PID 2784 wrote to memory of 1484 2784 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\ff.bat2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2776
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2960
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2724
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2580
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im snss.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\snss.exe"C:\Windows\snss.exe"3⤵
- Executes dropped EXE
PID:1484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581B
MD5df0dcc0c8115b89296f85865537891c7
SHA1a107b1947f6095c984df2639f148d699cdf86b66
SHA25694d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020
SHA512870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73
-
Filesize
1KB
MD55d7615797529e6dd071408b25e1237fd
SHA1d3c4519a655f5c1d5159ee24e69dcf4b21b45f56
SHA25692728ad86d08de628ac876ad263e08d1f74a7df48bb01e9937e4ad801315c1a8
SHA5125321fc66cfb93ae135aed155b823576fb65d5e468dfc7ed31167550305aa3ffbe0a15e2028c564e0c469ecf1baa4897007570d179496a335f507c09477743e29
-
Filesize
120KB
MD546143d2dcb939fe3cce62ea2c8401aec
SHA16d9b033fc1571793a90f9e4d99305e3f137dd811
SHA256c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
SHA51200e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560