Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe
-
Size
52KB
-
MD5
89c4756067b1263cf50040d6915b5849
-
SHA1
7cf84e4326fca173255230f9c5eab881adfb60e7
-
SHA256
d5f527ca9d00dada8e63053ed993e7ae3090756ce1d8c376d9a3acfa9669fd8b
-
SHA512
222bb8fe57966d71264ba75950dba7666e7ee9743663c996885d34d58c183839385137a9ce74f3510506b89dc95bdf62e2bb5fb1584c7601983d4328fccbb734
-
SSDEEP
768:EwjiIEAnqUxckirMWQXDuT+pxvPDgAiXKZC2p2ng4nGwcsx:EiIUwrJQXcCvfA2p2nNWsx
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2460 wrote to memory of 22224 2460 89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe 31 PID 2460 wrote to memory of 22224 2460 89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe 31 PID 2460 wrote to memory of 22224 2460 89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe 31 PID 2460 wrote to memory of 22224 2460 89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89c4756067b1263cf50040d6915b5849_JaffaCakes118.exe"2⤵PID:22224
-