Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe
-
Size
359KB
-
MD5
5ab98fa374fb3354a17b9f2ae40b2b32
-
SHA1
64cf30c5ed3aee9b1d29e296988aa93d9f3bcf3a
-
SHA256
1cf8af841511bc3a1210c9c02276627d87dd07d38bbb2baa44c20cf55c3a76f3
-
SHA512
c673116e62e79a128093f34dda0abb04e59a2bf2ac13e967cd1882551bf63f9e779a6f6e23933bed2d91440005bac3e7724eef31e722c6c243a43c821cfa0a52
-
SSDEEP
6144:0BFybY/7YsXUmrXgEXrMzp14WaumddWFlhdYBb+vDDTH0DcPGCa3DLb8NHiB:0Cm/XXgsdumdIlnYqDDTUwPbWLb8NCB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2772 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2772 2304 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2772 2304 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2772 2304 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2772 2304 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 31 PID 2772 wrote to memory of 2764 2772 cmd.exe 33 PID 2772 wrote to memory of 2764 2772 cmd.exe 33 PID 2772 wrote to memory of 2764 2772 cmd.exe 33 PID 2772 wrote to memory of 2764 2772 cmd.exe 33 PID 2772 wrote to memory of 2720 2772 cmd.exe 34 PID 2772 wrote to memory of 2720 2772 cmd.exe 34 PID 2772 wrote to memory of 2720 2772 cmd.exe 34 PID 2772 wrote to memory of 2720 2772 cmd.exe 34 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2764 attrib.exe 2720 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MACROM~1\FLASHP~1\E9F2TM~1.BAT2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"3⤵
- Views/modifies file attributes
PID:2764
-
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\E9F2.tmp.bat"3⤵
- Views/modifies file attributes
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
494B
MD5c468f5fb0089c8e8926c940e73e3d7fd
SHA15d92d48064156b713160d2dda84aea65c84f4965
SHA256eef9555096048792c087e2062c345190e78340d86b5555c1110585039b30a9d9
SHA512509a63459c3a0472a1fd7c4f403acc8b86fe876561302a317443f64c85884767a089240e5d0f5d6f02e990f8a9e4b782b7d4a413022411ab8efb21fab3932a53