Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 10:25
Behavioral task
behavioral1
Sample
601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe
-
Size
182KB
-
MD5
601b85cd6d088bd86d9d21e8f54a2fed
-
SHA1
8cb4059305ae688fdc02e296f445a02784e01108
-
SHA256
1c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030
-
SHA512
4e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032
-
SSDEEP
3072:aLbPRzNoP80lMaV5Q93DKAJjjH6bJjtpivAk12Ln/2IeWXE5MV6CWiqD89SfIIUy:+MP80lzLW3DJJP6bJjjoH1o/2lW020CS
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000018b3e-32.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2688 taskimg.exe -
Loads dropped DLL 2 IoCs
pid Process 2104 cmd.exe 2104 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\taskmrg.exe = "C:\\Windows\\system32\\taskimg.exe" 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\active_url.dll 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe File created C:\Windows\SysWOW64\taskimg.exe 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskimg.exe 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe File created C:\Windows\SysWOW64\winsys.bat 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\active_url.dll taskimg.exe File created C:\Windows\SysWOW64\active_url.dll taskimg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2812 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2104 2556 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2104 2556 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2104 2556 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2104 2556 601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2812 2104 cmd.exe 32 PID 2104 wrote to memory of 2812 2104 cmd.exe 32 PID 2104 wrote to memory of 2812 2104 cmd.exe 32 PID 2104 wrote to memory of 2812 2104 cmd.exe 32 PID 2104 wrote to memory of 2688 2104 cmd.exe 33 PID 2104 wrote to memory of 2688 2104 cmd.exe 33 PID 2104 wrote to memory of 2688 2104 cmd.exe 33 PID 2104 wrote to memory of 2688 2104 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\601b85cd6d088bd86d9d21e8f54a2fed_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\winsys.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Runs ping.exe
PID:2812
-
-
C:\Windows\SysWOW64\taskimg.exeC:\Windows\system32\taskimg.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
503B
MD52ed7ba52dde93dbc327035f6c6c7dbd3
SHA1e6e98c6c74d0abfe96d630c52740e0817d335c47
SHA2569dab07e4e900aaa46e1ec20563a6a1bd44911e6e42a15db49295892c797fdf10
SHA512d161ee2d4718665c36b3b299e089f21908fe6c7b14e87e5b49e139cb73a5c8fbbe294c24b731812f06fa78e641741b06e24e33be2edd0772ff4ecf9180582192
-
Filesize
504B
MD5e38d8b1a26aad6db08ae45fd0a90d10a
SHA1e8e6684dc7d685cd34a40ca129eece51505a0cf6
SHA2561c1ec960d19541b732b6cc767b7f7cfe66163c83f5e2fc4652dc773b7192ad4a
SHA512c0cede8e29d942236750b30b9c487566fa310c1dde82d7e5aac6144f82108048fa3991e2277eb4cd23af40cd09b3989ae849d13497971cd0089c6e5874380337
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5cc656c5d3676eb16f17a07c138e5ddf5
SHA1c5621f8466800ff969e1e1d62eb105f17b6e0fd8
SHA256a3ee5706c483d516b84b13e90a767d172768d82670a58b0656d6c3951c44981f
SHA512ce6090d7f41bf1929b572b839645b36a6256cf1de6df15d868438708036e39dff2bf092988c264086df03973d68c69e411af8d5eab67bf474e1b650a96acf1f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A9311A43BB35D90CA31DB0B353DC2084
Filesize548B
MD5c08fea725f64a3111a6a4e87b550824a
SHA184cb3b559ca2b8fb3e52d3abe2f0e8883017a331
SHA2567156f951ce32dfa16ed5c4a6b6ec7f4749949faa2ecfa90ea6c70cd34a5979e3
SHA512117240ea4cd96dedae89426776458df21bc544f168e1b7c9a903729f3e547b0f465684fc9ada5ff15432b0480d1c30ccc2e8dc3b146d80e9dd229fcab4f98193
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B739B29E00001B3AAE62EC8865A3C7C2
Filesize550B
MD5f6b87a978adb8a1eb126dfc004687f04
SHA190d1e0b6672ba3dae67f99518ac7ea6f724ecffd
SHA2563f321229a4c8e166fca385a0036b6920cfaafc4716b2e559c0b53c833738215b
SHA512fee3f87d0d5729550cef0356f397f055f316abd53cad76100c1808b655f583a7502592a56799a9a7d35f84bb18f6c333cad30c38a4e1b8827fe87c68a353d831
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\revisador[1].htm
Filesize322B
MD5a62b0493438fd61d0cde8dffc3a8616e
SHA107b00bdf8e858c6c3fc06554f6c5fd4955c5ab43
SHA2569820da6718489adaa1ab2ada6f043af32870a720f7589d6e44252d9a8001d7fc
SHA512a10c56ed5ab7c372140fb52d245d034d772328dc6649ebe45e86a4cf7c887e39b5d2fc26455a080891d81769d444cf2348e621edc0a07b2cfb482e979d1cbf88
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
34KB
MD5bf23b8211a7154788bbafcd6bb19c027
SHA161cfa125b60203502b95778e2459da3b771acfd2
SHA256b55b066aa7acddfd4dc39411927ba020afb1e8abe7df56c4aa50d1c841c7cdcc
SHA512cb41eeae5701c9f28270bb0f979c03619bd31c8a7cd90d985650008578ed50a3407cd9b54abfb419217e018b442d0102d035ade93e301f6d3fc6d48e6a0400c5
-
Filesize
73B
MD5cc498e91d17130bb2da47fa2c635f09e
SHA1e01d7c7a67f50ebb7da552fc27a6555af253f61b
SHA256709b45ebdc8e80db1d3df44e0335004cc8f43be7482010ee0732ecf923ec172e
SHA51232cf292949760129a6767ddaeaac2b8595e682903883963c7a9e6da0b9269035f235164fb5cfc61a9e32b74a0beb57b0123ed350679923b4021b1838b8b414ce
-
Filesize
182KB
MD5601b85cd6d088bd86d9d21e8f54a2fed
SHA18cb4059305ae688fdc02e296f445a02784e01108
SHA2561c666eccfe50dc191a32e5c77229fc791e89fa6e5d1ebf235a1c13d5a2225030
SHA5124e035b1227de2eef0b4f5f0ef6ff6c78964c6303c2fd5ad6e7b85b41bcf1b733aafe403bcea2466d46269946b4ec5365269b59a6615236915d056d834b994032