Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe
-
Size
108KB
-
MD5
5da51036fefdf4c7f7db390a094de4e6
-
SHA1
02640523045d913daf711ee8431aaf0b4c5dbb74
-
SHA256
6b214ed5011ddf2c53821a9a3d11cfffabbb9c376952131a0dc4f73d463761d4
-
SHA512
c7967c23db2315c7797c11a20fbf87fe62f7401e372db1aade971e0d5b035eee819f613fe92c126b621386155584ace61a26c15e09008e6ea53bd97d75922e25
-
SSDEEP
768:y4I9Rgzqn4N8+p1KQqZ8hU07dFzMd24MUlX8HUaD4AMenvHRNjcZPAhT8Hl67bdS:yPRsFx4MBHgFAhQFCdaG40TYPmhbm
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Client = "C:\\Windows\\services.exe" 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe Key deleted \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\U: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\H: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\P: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\L: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\M: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\O: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\S: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\T: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\Z: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\G: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\I: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\W: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\X: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\K: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\R: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\N: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\V: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\Y: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\E: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened (read-only) \??\J: 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File created F:\autorun.inf 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened for modification C:\autorun.inf 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File created C:\autorun.inf 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\services.exe 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe File opened for modification C:\Windows\services.exe 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1188 5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5da51036fefdf4c7f7db390a094de4e6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD55da51036fefdf4c7f7db390a094de4e6
SHA102640523045d913daf711ee8431aaf0b4c5dbb74
SHA2566b214ed5011ddf2c53821a9a3d11cfffabbb9c376952131a0dc4f73d463761d4
SHA512c7967c23db2315c7797c11a20fbf87fe62f7401e372db1aade971e0d5b035eee819f613fe92c126b621386155584ace61a26c15e09008e6ea53bd97d75922e25