Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 10:57
Static task
static1
Behavioral task
behavioral1
Sample
497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe
-
Size
795KB
-
MD5
497bb91fff49dcd8d17165617b51e6db
-
SHA1
444235e181d457d5686c07ee6fbc24eaad760c1c
-
SHA256
7dde61f69415ffb78a11ac86760f99cd4e1ce840da4499885c000b75c6204f6a
-
SHA512
9bd07792d22385a87f483b1e103d40c084243327c09a6c1e9bca8a41b47c805ff71d551a220ebcc710560ecb107c3551c3d4dd80b5cd07f720fd718cdff0a6a9
-
SSDEEP
12288:sRn8S++U4u/n/80dW5A0zyo6JwQ5oAlK+GbRvZBIkSZQQ52LYRg08yPwrRkSIXd:w8MU4ufxdW5A2mJr/khRv7IkSV3YFW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2152 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2984 Windows XP.exe -
Loads dropped DLL 1 IoCs
pid Process 2984 Windows XP.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\PRogram Files\Windows XP.exe 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe File opened for modification C:\PRogram Files\Windows XP.exe 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe File created C:\PRogram Files\NDKHQI.DAT 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\61642520.BAT 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2228 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe Token: SeDebugPrivilege 2984 Windows XP.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2984 Windows XP.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 Windows XP.exe 2984 Windows XP.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2004 2984 Windows XP.exe 31 PID 2984 wrote to memory of 2004 2984 Windows XP.exe 31 PID 2984 wrote to memory of 2004 2984 Windows XP.exe 31 PID 2984 wrote to memory of 2004 2984 Windows XP.exe 31 PID 2228 wrote to memory of 2152 2228 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe 32 PID 2228 wrote to memory of 2152 2228 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe 32 PID 2228 wrote to memory of 2152 2228 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe 32 PID 2228 wrote to memory of 2152 2228 497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\497bb91fff49dcd8d17165617b51e6db_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\61642520.BAT2⤵
- Deletes itself
PID:2152
-
-
C:\PRogram Files\Windows XP.exe"C:\PRogram Files\Windows XP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2004
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5aefafdd5c9b62db20fd28e0f935263e8
SHA13df1cb906cc6180776143b3cc8dd77d2d6956d59
SHA2569550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e
SHA512e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40
-
Filesize
795KB
MD5497bb91fff49dcd8d17165617b51e6db
SHA1444235e181d457d5686c07ee6fbc24eaad760c1c
SHA2567dde61f69415ffb78a11ac86760f99cd4e1ce840da4499885c000b75c6204f6a
SHA5129bd07792d22385a87f483b1e103d40c084243327c09a6c1e9bca8a41b47c805ff71d551a220ebcc710560ecb107c3551c3d4dd80b5cd07f720fd718cdff0a6a9
-
Filesize
218B
MD5223c94493235a122fb3e49bee8bcae22
SHA1dc37ebd45a0bb7437ade54e069ed1e0ff5e64186
SHA256aa907e53dc5191894b6b036e521eff2d65e29b79b007d90206fc34d3e993234a
SHA512f4e407e4604e4d543cc30ee12ee4a8354c32ea4fdc08901ac7f4285f2ac1747f2a41230716f8bbad5835f5dcb92c496ec2ec231bfb6de0c26298a07ef0163f66