Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
495ed03e17c27fa4c20deb6bd435dc2c
-
SHA1
4ff6f239ed7adf13368e0ba8df0d44230837085a
-
SHA256
46234949af62291242805d2f33a6af522efce251cfc053465be677d29a2a19fd
-
SHA512
ccfc6a43c9a22f022ea95399cda607c26dccd4b5d031c18891a897fd94c502dd280c8083061a23a6474477a1085c995d8e6f978d25741016db5b06e39bd991cc
-
SSDEEP
24576:f1kXXvxyJp759Potg4rfYF1NLpw5aopS/IVyCRE/a8Gg9bnRvOmpC9L58jXWeSvH:f1I56947yLGgZR7M2GeSuc78LA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2084 ffffff.Exe 2800 suportfile.Exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2084 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2084 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2084 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2800 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2800 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 31 PID 3060 wrote to memory of 2800 3060 495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe 31 PID 2800 wrote to memory of 2836 2800 suportfile.Exe 32 PID 2800 wrote to memory of 2836 2800 suportfile.Exe 32 PID 2800 wrote to memory of 2836 2800 suportfile.Exe 32 PID 2084 wrote to memory of 2816 2084 ffffff.Exe 33 PID 2084 wrote to memory of 2816 2084 ffffff.Exe 33 PID 2084 wrote to memory of 2816 2084 ffffff.Exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\495ed03e17c27fa4c20deb6bd435dc2c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\ffffff.Exe"C:\Users\Admin\AppData\Local\Temp\ffffff.Exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\ffffff.ExeC:\Users\Admin\AppData\Local\Temp\ffffff.Exe3⤵PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\suportfile.Exe"C:\Users\Admin\AppData\Local\Temp\suportfile.Exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\suportfile.ExeC:\Users\Admin\AppData\Local\Temp\suportfile.Exe3⤵PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455KB
MD5bf3c1f671f121628fc964cabf472a19b
SHA1da4b2223eea9723cfe1b570eba33b650bc80d315
SHA256b37cf7ec35578d632d7b7d733469f05efc8522422323da059ddf2d3c75e8145e
SHA512cd16c6101deb99eac27ec78a2d350474029cd44fc5032704b1c71548a3104f48f840b75bf333ca4dc996872a5ded7e87ba031cc9838454459c755b37dabc5d13
-
Filesize
455KB
MD5b0b3e82bf01f657a40d05de4951bb51f
SHA1b5dbb22a9bfc75cd3881a60d84f5d698fed01fcf
SHA256127b73e86090068ecb213498da64f62860c13c8c28aefc5928778a88f1db0638
SHA5129061f9f78250f076ccba54d9999165219709ab92d4e1c70ca302779f127fb7bebd3ff1c468c0f04be12092b84caf567f3eedf134bea24d9a7cd6596d2d1e3731