Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe
-
Size
10KB
-
MD5
476c2693f84de69b7a08a855610802f5
-
SHA1
0388670a0f6a1b28c86014497cc19c2c3de3a699
-
SHA256
22ba9ffb3f7db616d6458c89011dc8dc20b6164597df1c48adab03125d1c00bc
-
SHA512
0bc6d5625a027a78b195a713aad7d7418d76d78273ca66cbfb4c3fcb27cf048effb6f641aea7c4c98640de97728d4ae0f276a5ac191c2c48a37b28f5db579dc6
-
SSDEEP
192:YdV5pxgnVPQoEYp+ajFwMhyHtNhBwttu5MW3jXAn:kV5pxZaZwMh+tXL5MuDi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2460 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2032 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2460 2224 476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2460 2224 476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2460 2224 476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe 28 PID 2224 wrote to memory of 2460 2224 476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2032 2460 cmd.exe 30 PID 2460 wrote to memory of 2032 2460 cmd.exe 30 PID 2460 wrote to memory of 2032 2460 cmd.exe 30 PID 2460 wrote to memory of 2032 2460 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\476c2693f84de69b7a08a855610802f5_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\476C26~1.EXE2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:2032
-
-