Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12/08/2024, 12:15
Behavioral task
behavioral1
Sample
8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe
-
Size
197KB
-
MD5
8eb57da4194cd7a0e76fdd5d951da8fa
-
SHA1
b872e0055e1193f48a48717784482bae6171c7b2
-
SHA256
4c57481feb4b640b57864d74c24697b911565447bfe9f229585a5d17dea2769f
-
SHA512
dca04b87656899a35f68ab5a02ca4c8f3be459a0a7b8fa8fc948488989faeffd1faa0821ae5f9aa7d4a0b29721c07e53bb34bd9d919d06ee6ce57ade7286f76c
-
SSDEEP
3072:OF2SRGOYiDEah5u2606Tqa4esT/TCJCKEOcP5/9iIttyB2BSz:OF22ojRnqa3DkvOIiwR0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 812 Ewuraa.exe -
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/files/0x0007000000018703-10.dat upx behavioral1/memory/812-13-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe File created C:\Windows\Ewuraa.exe 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe File opened for modification C:\Windows\Ewuraa.exe 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ewuraa.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ewuraa.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ewuraa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main Ewuraa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe 812 Ewuraa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe Token: SeBackupPrivilege 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 812 Ewuraa.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29 PID 2504 wrote to memory of 812 2504 8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8eb57da4194cd7a0e76fdd5d951da8fa_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Ewuraa.exeC:\Windows\Ewuraa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD58eb57da4194cd7a0e76fdd5d951da8fa
SHA1b872e0055e1193f48a48717784482bae6171c7b2
SHA2564c57481feb4b640b57864d74c24697b911565447bfe9f229585a5d17dea2769f
SHA512dca04b87656899a35f68ab5a02ca4c8f3be459a0a7b8fa8fc948488989faeffd1faa0821ae5f9aa7d4a0b29721c07e53bb34bd9d919d06ee6ce57ade7286f76c
-
Filesize
372B
MD5775b060c32a145e3ef5fa9151526e8ab
SHA1cf55062f5614efb7b1e819dd98e7d205fd3953fc
SHA256de8028c09d74d671035f944b0f25bcb05e3c699f38b479386c76c6a9af43c7a6
SHA5125c5f9b8d9b21ca7f5843e679153cb04db39798de9fb162e8db91c9d535042621660779e1ffd99487a1bee501f4ee92db4cfb3ee0eb3b53f362041f8d09951980