Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe
-
Size
281KB
-
MD5
4b293b92490c6429bd6258c3958230c4
-
SHA1
23017875e097a9ad047fedc26e300e0265845659
-
SHA256
81443acb6f619d6e7d85c0ae4a7b41f35aad4a87c817c9bde397e329fa19d138
-
SHA512
02b47c9f2711a87a5a96224464947659608c2fb47b557cd55a392fb0808df11cb2b0a2e4e015dc2d895ded21e68aa4fc163a69fcee88bd1c8d364a882fe89820
-
SSDEEP
6144:Z1w39kuuhQ/4lj9nywgCUlR0QnL+DHzJusOBiFTdxyAK7KB:HwN+7ywhUlRJexOmJoAK+B
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2272 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 jspauh.exe -
Loads dropped DLL 4 IoCs
pid Process 2272 cmd.exe 2272 cmd.exe 2440 jspauh.exe 2440 jspauh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2524 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3008 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2524 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe 2440 jspauh.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 976 wrote to memory of 2272 976 4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe 29 PID 976 wrote to memory of 2272 976 4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe 29 PID 976 wrote to memory of 2272 976 4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe 29 PID 976 wrote to memory of 2272 976 4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe 29 PID 2272 wrote to memory of 2524 2272 cmd.exe 31 PID 2272 wrote to memory of 2524 2272 cmd.exe 31 PID 2272 wrote to memory of 2524 2272 cmd.exe 31 PID 2272 wrote to memory of 2524 2272 cmd.exe 31 PID 2272 wrote to memory of 3008 2272 cmd.exe 33 PID 2272 wrote to memory of 3008 2272 cmd.exe 33 PID 2272 wrote to memory of 3008 2272 cmd.exe 33 PID 2272 wrote to memory of 3008 2272 cmd.exe 33 PID 2272 wrote to memory of 2440 2272 cmd.exe 34 PID 2272 wrote to memory of 2440 2272 cmd.exe 34 PID 2272 wrote to memory of 2440 2272 cmd.exe 34 PID 2272 wrote to memory of 2440 2272 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 976 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4b293b92490c6429bd6258c3958230c4_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\jspauh.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 9763⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:3008
-
-
C:\Users\Admin\AppData\Local\jspauh.exeC:\Users\Admin\AppData\Local\jspauh.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD54b293b92490c6429bd6258c3958230c4
SHA123017875e097a9ad047fedc26e300e0265845659
SHA25681443acb6f619d6e7d85c0ae4a7b41f35aad4a87c817c9bde397e329fa19d138
SHA51202b47c9f2711a87a5a96224464947659608c2fb47b557cd55a392fb0808df11cb2b0a2e4e015dc2d895ded21e68aa4fc163a69fcee88bd1c8d364a882fe89820