Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
-
Size
493KB
-
MD5
47f13cf60a4f1d02784afc85702bedba
-
SHA1
9a462b0f2e888645e4bde83391da0eb333db34e0
-
SHA256
a1eef8a5a7b1640d2f161a67563766b6dd899f1ada93426c1fc1e2e599323f18
-
SHA512
d26cccbc1fa16fb54b323f8e560f31cf707d1bc4104fa9f3485e2b854a5ced5d9045a706aef082f2ca2227960306940f4aaf623d628129e72f7c5cbf7d0cb914
-
SSDEEP
6144:/sShZWyrW/gR4nsnDYdCzxyn1Nmrf2mzq46uyIuKmL03yNH6AYdzlRx1edQRX6YL:/anskwzYn1YTHpIzKmgih65udQhQ0kc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2252 10mtsbem.vsg.exe 2772 winlog.exe -
Loads dropped DLL 5 IoCs
pid Process 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 2252 10mtsbem.vsg.exe 2252 10mtsbem.vsg.exe 2252 10mtsbem.vsg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlog.exe" winlog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2380 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1296 wrote to memory of 2252 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 30 PID 1296 wrote to memory of 2252 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 30 PID 1296 wrote to memory of 2252 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 30 PID 1296 wrote to memory of 2252 1296 47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe 30 PID 2252 wrote to memory of 2772 2252 10mtsbem.vsg.exe 32 PID 2252 wrote to memory of 2772 2252 10mtsbem.vsg.exe 32 PID 2252 wrote to memory of 2772 2252 10mtsbem.vsg.exe 32 PID 2252 wrote to memory of 2772 2252 10mtsbem.vsg.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\10mtsbem.vsg.exe"C:\Users\Admin\AppData\Local\Temp\10mtsbem.vsg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2772
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD53aa561474f8dd9c65b53366a1e81e6ab
SHA1513d3ecc100d4d898c1ef750bdcc7f0f096e0400
SHA25648d6d5ba46b6834947fd73a0f7df3ee984382102fb1eb7981a0f14fdffa51e8c
SHA5124f4092808625a0bddfd81ad0083a1b7dbc2848acfcba69905c79d56a7ede53db1dbcdec30d3c97b73a0aee784cbd946abefcab71e6b322416b07f4c7645ed0a3
-
Filesize
141KB
MD5a142e11261041cbb97bf9a6848423ee4
SHA1f932c93eaeed6d104af232e99442ead254fa4352
SHA25654231a7fd587a624c08166605b733fed6e4d1a9861e599fba6619bb6583103b6
SHA51206ad01c2696aef16dcb7effd4df1bd72c7610845464ca7eec93f1b8de86a0a84d299d4fd0ff709142e98680770450d2b0f1e22c574a6014a608c1b5e4879e1df