Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe
-
Size
68KB
-
MD5
852cb51b9aac23e13443dbc1e6c46a95
-
SHA1
22dc34cf90206f298caabe5d7433fcfc798d3466
-
SHA256
06c586ea2d0cd8fddc2e93b4e5c94b77bb4395bfcf1204e5665b359f2f0461bf
-
SHA512
2183674affee50fd5bd8a4198ad8fa5d50e8a06e555875169d3c91401462948e51134b601c3e7166bb2544e42498bbf6791c120dbd3c4daf514b6bfaf2a487db
-
SSDEEP
384:JiWO48f+Z8N8p/ij7m+1Is9giJABwbXbm0vy4mEVzRFHPU8ToPGoq//1:K4hZ1p/ija+1IGpFrSoy6JTc8Toed/t
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2408 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2408 1660 852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2408 1660 852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2408 1660 852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe 30 PID 1660 wrote to memory of 2408 1660 852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\852cb51b9aac23e13443dbc1e6c46a95_JaffaCakes118.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2408
-