Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 12:39
Static task
static1
Behavioral task
behavioral1
Sample
8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe
-
Size
92KB
-
MD5
8a64110eb7962a7020a3e626d9ad6d89
-
SHA1
e4edb8f5a987b11779eaba1d0a42fef331f3b6ba
-
SHA256
44029fa09c987870a2b4fc45048728f4c635876af2cd0e22157df0bcfc784441
-
SHA512
7bc9489ba339122fbce60fc7d24a9d4f9eb238f8906c54e3c1279cc2a36ddf2e4cad79c49998574eeea3f048f90ba89a09f177954aa336b32fb04c11ebcde34a
-
SSDEEP
1536:jM0gNI+RqihfQxtQg1nhFc9pJpk+tCwmg+Q6buWkJ2/tnJs1v8pEekNEkpYA00:jMbI+RFQxjJGJpTP65vFLGjNE5s
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2752 BCSSync.exe 2676 BCSSync.exe -
Loads dropped DLL 3 IoCs
pid Process 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 2752 BCSSync.exe -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2668 set thread context of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2752 set thread context of 2676 2752 BCSSync.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2696 2668 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2752 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2752 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2752 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 31 PID 2696 wrote to memory of 2752 2696 8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe 31 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2752 wrote to memory of 2676 2752 BCSSync.exe 32 PID 2676 wrote to memory of 860 2676 BCSSync.exe 33 PID 2676 wrote to memory of 860 2676 BCSSync.exe 33 PID 2676 wrote to memory of 860 2676 BCSSync.exe 33 PID 2676 wrote to memory of 860 2676 BCSSync.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\8a64110eb7962a7020a3e626d9ad6d89_JaffaCakes118.exe5⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD592e6ef1adcceb7e82a399433dc0223de
SHA17fbf08e27d151001b5e24be4b2e12fd660a0bc1c
SHA2562058bbb8f62447d5f42fd70613eb60d0647784a33495dff37ef94ba677147142
SHA512965e0f15acfc1b46001bdf14165389891ff2add3f4f1f71a67ec0769746f36f0bc7faa5fef1b1d5af59add9853d164f22fdcebd3b203457c1eaa72c608e9952c