Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe
-
Size
857KB
-
MD5
87353e83707ae9961599a4472bb8bc73
-
SHA1
393fcd2a419d832021ce15ccf99466f57775b5cf
-
SHA256
b156300fe7c35a282f8bffbd5acffc5f62d0ccd064e5a32cdcfd3f2f39a70497
-
SHA512
0c842c9a4e7f2504a0de213bb87d72a9a1a8b4cb9e4a9b15c0e4f41f898ba7aa10f8ee74849bc55de6089d598907f4bcdffd6a902729f2bde95b6ac028ff4dcd
-
SSDEEP
24576:uc//////FqsVqMyLrr4cWRSvEPaVspeYmVnwO:uc//////YrNrrOCEi+/0r
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2808 ·þÎñÆ÷״̬²éѯ.exe 2676 Ë«¿ª²¹¶¡.exe -
Loads dropped DLL 9 IoCs
pid Process 2640 cmd.exe 2672 cmd.exe 2640 cmd.exe 2672 cmd.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2560 WerFault.exe 2560 WerFault.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2560 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process 2560 2676 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ë«¿ª²¹¶¡.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ·þÎñÆ÷״̬²éѯ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main ·þÎñÆ÷״̬²éѯ.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe 2808 ·þÎñÆ÷״̬²éѯ.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2640 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 30 PID 3044 wrote to memory of 2640 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 30 PID 3044 wrote to memory of 2640 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 30 PID 3044 wrote to memory of 2640 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 30 PID 3044 wrote to memory of 2672 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2672 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2672 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2672 3044 87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2808 2640 cmd.exe 34 PID 2640 wrote to memory of 2808 2640 cmd.exe 34 PID 2640 wrote to memory of 2808 2640 cmd.exe 34 PID 2640 wrote to memory of 2808 2640 cmd.exe 34 PID 2672 wrote to memory of 2676 2672 cmd.exe 35 PID 2672 wrote to memory of 2676 2672 cmd.exe 35 PID 2672 wrote to memory of 2676 2672 cmd.exe 35 PID 2672 wrote to memory of 2676 2672 cmd.exe 35 PID 2676 wrote to memory of 2560 2676 Ë«¿ª²¹¶¡.exe 36 PID 2676 wrote to memory of 2560 2676 Ë«¿ª²¹¶¡.exe 36 PID 2676 wrote to memory of 2560 2676 Ë«¿ª²¹¶¡.exe 36 PID 2676 wrote to memory of 2560 2676 Ë«¿ª²¹¶¡.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\87353e83707ae9961599a4472bb8bc73_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷״̬²éѯ.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\·þÎñÆ÷״̬²éѯ.exeC:\Users\Admin\AppData\Local\Temp\\·þÎñÆ÷״̬²éѯ.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\Ë«¿ª²¹¶¡.exeC:\Users\Admin\AppData\Local\Temp\\Ë«¿ª²¹¶¡.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 364⤵
- Loads dropped DLL
- Program crash
PID:2560
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
761KB
MD5ff30f22d2ad36ebd994b3d84341cfb0b
SHA15790d0cda75206fb0b285b2bc0852dc6486fc213
SHA25618203894f4ca3929deeca2dfd03116c64b40cb5b239e68879b931b71ff9f2157
SHA512fba0ce2af40327769f45cb8d2856d333db1b5dde595e4c71e2c16101a61fb7d8bfe8cf1d39f8d67c83da9e34fd80085ec5f1b7a097222045e95660a1c0a11555
-
Filesize
2KB
MD5e1fe2d00681cc4b446d98df05f1ad942
SHA14e625c8ca6e33da097aa8467c5cb89eb6ca36a11
SHA2567ae7c485a9567b785ed25306de4b8c76499da0cda7e61a4a3192905623dc5f35
SHA5122a1f558e9e6323e33a7bfb362768b034b293a7be84e7940f9c67ce5fa98fa37ae0cd2dc7713538b7d828a5c5cf5f5187eff834a1c476eb0e5b86bc67fdcd5eb7
-
Filesize
2KB
MD5cd086e8af1ce87793b34528f0ce8a732
SHA19c9e5cc3bf9ce159b98083a53a046807c584cbb6
SHA2568402cdb13b16c62871dd853f7526bc68e1973ec57f35b7b931103e88d31f7f9a
SHA5120e5f3b3a4ba616d314add2c2381e53205e37d911a0aee68502aa5c8a92eb53b540cb7e1417131a6847e1644063e28f4a807f5017c7e4ba551e1ea5c87125ef23
-
Filesize
17KB
MD595c93370200a75aec0f41d79088323c3
SHA1c5f6eb49d5cd606c5c94120689c253a3436060b6
SHA25630493eb9174dd9f42baaee65ad3a1fbdb17485b3856fbfb49574cb6ef4eaef5a
SHA5124a5368a0b01cde5dd4869f7dca1abc7f1553a0fb08d8d3956d0089e1bc206d5a6590bedaef7d7e9e309f8de938e6f1899294fe5f71af7d9d28e9df4afde21082