Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 02:02
Behavioral task
behavioral1
Sample
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
-
Size
409KB
-
MD5
65b77dc9bcc299eb6c89b7a634c923d7
-
SHA1
332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e
-
SHA256
24fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623
-
SHA512
aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5
-
SSDEEP
12288:DA4goYcLbiCwhCXfVjIzU8F3Ug9DO7hzm9ubK3rrE4GWHG4:DAtcLECXpIz1F3Rk2304GW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2756 Nxilua.exe -
resource yara_rule behavioral1/memory/2556-0-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/files/0x0008000000016d6b-11.dat upx behavioral1/memory/2756-15-0x0000000000400000-0x0000000000468000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\4RBPZMXX4S = "C:\\Windows\\Nxilua.exe" Nxilua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File created C:\Windows\Nxilua.exe 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File opened for modification C:\Windows\Nxilua.exe 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main Nxilua.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe 2756 Nxilua.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2556 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 2756 Nxilua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2756 2556 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2756 2556 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2756 2556 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2756 2556 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\Nxilua.exeC:\Windows\Nxilua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD565b77dc9bcc299eb6c89b7a634c923d7
SHA1332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e
SHA25624fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623
SHA512aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5
-
Filesize
372B
MD5e3c19bce7e850449bf670e5fe85e60dd
SHA1c8d78a0e7adb7b5e46db9f2d5912b7589e6e01d0
SHA256e5a6fd3e41c09e803a31658c116e5b4ccd8a35fa06d4c45325ecebf8e324464d
SHA512b6e1e9c7402560a8312a4278a6481b4cc3ad115276c1d1f740f904bd63e61dfea174bd8064e66fbb52eadaead8df8d1182bccf1737edd332c1e7b59ad8c11a14