Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/08/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
939c8bddca8567f4fc692f9130959d6a
-
SHA1
a7d066d3470eae36f53b2f26179f975abb9ae3bf
-
SHA256
7d223b75aefe5826017d69f3b36f887a60dd8da3ea135a9eaea26d3c8394a220
-
SHA512
ed89f524d4c6b784267d7aff343847b24c09493bcad5f5698636e901b34750bcfd2d7aafd4f613448af5d3eefca45ea8291c1cb23a9056f24cbd151f6dcb931c
-
SSDEEP
49152:Tr/sliWDbs/7SH3QHAuXLVoDW/+XwuMd7ROKw:Po3bgmi7VoDW4wuY7ROKw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1676 explorer.exe 2412 iexplore.exe -
Loads dropped DLL 4 IoCs
pid Process 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 1676 explorer.exe 1676 explorer.exe 1676 explorer.exe 1676 explorer.exe 2412 iexplore.exe 2412 iexplore.exe 2412 iexplore.exe 2412 iexplore.exe 1676 explorer.exe 1676 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1676 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 30 PID 1288 wrote to memory of 1676 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 30 PID 1288 wrote to memory of 1676 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 30 PID 1288 wrote to memory of 1676 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 30 PID 1288 wrote to memory of 2412 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 31 PID 1288 wrote to memory of 2412 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 31 PID 1288 wrote to memory of 2412 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 31 PID 1288 wrote to memory of 2412 1288 939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe 31 PID 1676 wrote to memory of 2760 1676 explorer.exe 33 PID 1676 wrote to memory of 2760 1676 explorer.exe 33 PID 1676 wrote to memory of 2760 1676 explorer.exe 33 PID 1676 wrote to memory of 2760 1676 explorer.exe 33 PID 2412 wrote to memory of 2140 2412 iexplore.exe 35 PID 2412 wrote to memory of 2140 2412 iexplore.exe 35 PID 2412 wrote to memory of 2140 2412 iexplore.exe 35 PID 2412 wrote to memory of 2140 2412 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\939c8bddca8567f4fc692f9130959d6a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe" --mn=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\32374.bat"3⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Users\Admin\AppData\Local\Temp\iexplore.exe"C:\Users\Admin\AppData\Local\Temp\iexplore.exe" --mn=0 --ch=12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\47.bat"3⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183B
MD54abcd0b1d1754d7124bf16ddbef6b4cf
SHA108af1c9487ae83a7bfce36c3aaf0ef45ed141930
SHA25629910a0d39c072f9578e0ec955e14db121d6bb9fa01a831012651d570d371e30
SHA5125c8f40319593e2659893a1cb10e47152b19a023b7a68734209192437e0bf4ab1c7797a4a275c9e62a532a265ac5c46dd355b19ecf8c08e3680e2d300ef1e7e32
-
Filesize
180B
MD51d15122955ca815468693614ba6259ca
SHA1b01879214b0b8cd974ed23fa7944452b315372da
SHA256a3a5587211510b0e0599327391d48284e4acf605c6ab92fb8074eda82b1e3122
SHA51218487de9a52ce10c8f95e91f00003b33572c07322f1b1e4fb33749a391e35edeb74dfe7c6602b50437c9fe7cd85b27d4af787eea111809402dacd4670b05ecc7
-
Filesize
2.2MB
MD5939c8bddca8567f4fc692f9130959d6a
SHA1a7d066d3470eae36f53b2f26179f975abb9ae3bf
SHA2567d223b75aefe5826017d69f3b36f887a60dd8da3ea135a9eaea26d3c8394a220
SHA512ed89f524d4c6b784267d7aff343847b24c09493bcad5f5698636e901b34750bcfd2d7aafd4f613448af5d3eefca45ea8291c1cb23a9056f24cbd151f6dcb931c