Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
-
Size
35KB
-
MD5
46f8b0698e85357a979a2cf854d7dc16
-
SHA1
7565cb6ebc36a669bdd8937f2eeb67778a9180fe
-
SHA256
88f39cfd787dda1b94de96b48b9ceb921ebea0b0f69f97389a82a90585676ea1
-
SHA512
a90aafdc1bceb297264671f5b4d11a07114f207cbcfd61cbeb43cdb62957b6696c35dfd0859efa88912ef89e17df5e1287ae6fdb5e9ae009987cc918b5babc62
-
SSDEEP
384:QyWMPvsytDWW80X+xT9o25TyrHLM7+qdDvFpwyVuP3x5Ylo/LsL7LkLbg:8HgDWt9TU8p9/wyV+3xelozA/o
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Loads dropped DLL 4 IoCs
pid Process 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\swapdisk = "C:\\Windows\\system32\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\12014333.dll,Call" 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 3060 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 30 PID 900 wrote to memory of 2568 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 31 PID 900 wrote to memory of 2568 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 31 PID 900 wrote to memory of 2568 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 31 PID 900 wrote to memory of 2568 900 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\12014333.dll,Call2⤵
- Loads dropped DLL
PID:3060
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "2⤵
- Deletes itself
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD58c8de60b3256d675f36c9d9f1cc69ad6
SHA119b9a812f5f08b87d4d0198e043edc751062c705
SHA256ce53002a60ceaddad11cdae49973a876c04de3b53381375dfa9508ee0de81c3c
SHA51233a214d47020bdb7a94a2f66f110ac418b1d17997e39e329c73b7a94de8eb34e7d7987bca32454d81e39ce5888c33e2fe193ba00abbd608b5582be7935c6dc46
-
Filesize
28KB
MD54e432912db8c425eee68e2a459b5a0a3
SHA1749a25deb96febc23d906c9c26308d5f0520a4b6
SHA2565d79e6b5f32d6bea323988c63ec4273207e92c845b745ddc4921626049fadf0d
SHA512ece43a4a1f47d0613f284fed3cb4d9f0600336fe2352942dff07042bce7da059db8f28240b8b034b94c4c417b11fceaf4530fa55800ebb20fe87ac95dbe7b6be