Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
64096186747c468b881e47631bac27d8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
64096186747c468b881e47631bac27d8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
64096186747c468b881e47631bac27d8_JaffaCakes118.exe
-
Size
104KB
-
MD5
64096186747c468b881e47631bac27d8
-
SHA1
76f2b6692f3df55d9bc718b98420da165ec88b2d
-
SHA256
c512f055fb57f01079d8aac0ef5e81d4a05e4b07f05cf6b7d6d7c3dc1b6fa6a1
-
SHA512
d394b8880eb5b66d675b1ad2e1680c3bfdbe79b023df5123b5823a8d7dd1cb9303c5b46858adacb26b52af500819ede2b69f3bfe7c856b3e9787013356ac6ec8
-
SSDEEP
3072:SRPaDGQ38aV8f9rH1gmr7EtJqmieo6Sc4:QPwGQ3V6lb1jrkJqZbc4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2972 rb.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rb.exe 64096186747c468b881e47631bac27d8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2332 2972 WerFault.exe 30 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1580 64096186747c468b881e47631bac27d8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2972 1580 64096186747c468b881e47631bac27d8_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2972 1580 64096186747c468b881e47631bac27d8_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2972 1580 64096186747c468b881e47631bac27d8_JaffaCakes118.exe 30 PID 1580 wrote to memory of 2972 1580 64096186747c468b881e47631bac27d8_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2332 2972 rb.exe 31 PID 2972 wrote to memory of 2332 2972 rb.exe 31 PID 2972 wrote to memory of 2332 2972 rb.exe 31 PID 2972 wrote to memory of 2332 2972 rb.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\64096186747c468b881e47631bac27d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64096186747c468b881e47631bac27d8_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\rb.exe"C:\Windows\rb.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 363⤵
- Program crash
PID:2332
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD553c206ec8f1f3733f723fbcec939bff5
SHA108ab83463d09d8c13f8f0f6e9a468a1b9aa35a99
SHA256ea3f0a432fdcd686979692a1006d3848a987b32dc24938f79c02a2f7362cee72
SHA512624d5728aa723215f1fda277871ed33c06a4047f9ef97deb45bef2c6e7d7c0c5811e71243771f0233a8e675d5026f27d3f0f14bb040588af2dc93a9bbc81d167