Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
-
Size
269KB
-
MD5
74c024955091e32b0010ec26aa99e8c1
-
SHA1
f41200e2c925ae9db14116af91513f04beb8059a
-
SHA256
ecdb61cc66e07ccb661f6b8036f9d7094efae75eb6f107476821046dbb1e8d43
-
SHA512
0e5d50ceb1533a5320052a5b3808e586f74214c96a0a73e0a453672744caa5a587218cd61ec2b3bd17ea4b3792a22fda5e00a684dc1f27819064188cc83f529f
-
SSDEEP
6144:6IskMjgJENFzmFIhwmjxL1+vo5R30w0RqXsC8pKY2qsdX:6IsnnxCmPTpXTXszpKY2N9
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2940 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2504 shark.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shark.exe 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ieapfltr.dat shark.exe File opened for modification C:\Windows\SysWOW64\shark.exe shark.exe File opened for modification C:\Windows\SysWOW64\ieapfltr.dat 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe File created C:\Windows\SysWOW64\shark.exe 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\UNINSTAL.BAT 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1576 cmd.exe 2268 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe Token: SeDebugPrivilege 2504 shark.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1576 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 30 PID 1580 wrote to memory of 1576 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 30 PID 1580 wrote to memory of 1576 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 30 PID 1580 wrote to memory of 1576 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2268 2504 shark.exe 33 PID 2504 wrote to memory of 2268 2504 shark.exe 33 PID 2504 wrote to memory of 2268 2504 shark.exe 33 PID 2504 wrote to memory of 2268 2504 shark.exe 33 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36 PID 1580 wrote to memory of 2940 1580 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.execmd /c set date=%date% &&date 1987-1-1 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1576
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\UNINSTAL.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\shark.exeC:\Windows\SysWOW64\shark.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c set date=%date% &&date 1987-1-1 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD574c024955091e32b0010ec26aa99e8c1
SHA1f41200e2c925ae9db14116af91513f04beb8059a
SHA256ecdb61cc66e07ccb661f6b8036f9d7094efae75eb6f107476821046dbb1e8d43
SHA5120e5d50ceb1533a5320052a5b3808e586f74214c96a0a73e0a453672744caa5a587218cd61ec2b3bd17ea4b3792a22fda5e00a684dc1f27819064188cc83f529f
-
Filesize
214B
MD5ca5247dd049a20608f14395aad087a4e
SHA13b2acecdeeb9132b44a5afd720fc11580fa0fb0e
SHA256189b685a7d6c2fa3f553641092543f5a43c047cf12489232b3a4f599ecc67187
SHA51211f81f43f2bfb50e2c8579b750abd2a1a8e46db3f9a93c79aacdf724fa2c058bcbdf61039e67f41ffbcb6fccc1bfcfdffff89f3aa95ded6ab06d1a95518d697a