Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
6363ddf8a20345c0201868b209afbd63_JaffaCakes118.lnk
Resource
win7-20240708-en
4 signatures
150 seconds
General
-
Target
6363ddf8a20345c0201868b209afbd63_JaffaCakes118.lnk
-
Size
685KB
-
MD5
6363ddf8a20345c0201868b209afbd63
-
SHA1
941727ee9620624f595175468c27f863e3c2bc4a
-
SHA256
3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
-
SHA512
f885eb46111da748b28b6a78d8e59e8e4f614e66e2e051e7a04d2d857c41513fdf68db77e2ee5319195389d6bd17e08fe5a2b159312e6deff5d157edfe8b2fe4
-
SSDEEP
12288:TQiqkgLGVRivcLwOtIO1nyhuEBUdw3VTVhUn5n/oGugyJ3Yql:TdqLGnZn1NEBUdwa5ngfg4j
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2084 2972 cmd.exe 31 PID 2972 wrote to memory of 2084 2972 cmd.exe 31 PID 2972 wrote to memory of 2084 2972 cmd.exe 31 PID 2084 wrote to memory of 2408 2084 cmd.exe 32 PID 2084 wrote to memory of 2408 2084 cmd.exe 32 PID 2084 wrote to memory of 2408 2084 cmd.exe 32 PID 2084 wrote to memory of 2280 2084 cmd.exe 33 PID 2084 wrote to memory of 2280 2084 cmd.exe 33 PID 2084 wrote to memory of 2280 2084 cmd.exe 33 PID 2084 wrote to memory of 2180 2084 cmd.exe 34 PID 2084 wrote to memory of 2180 2084 cmd.exe 34 PID 2084 wrote to memory of 2180 2084 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\6363ddf8a20345c0201868b209afbd63_JaffaCakes118.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "compliance-docpack.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""3⤵PID:2408
-
-
C:\Windows\system32\find.exefind "END2"3⤵PID:2280
-
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\0.js"3⤵PID:2180
-
-