Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 09:22
Static task
static1
Behavioral task
behavioral1
Sample
957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe
-
Size
356KB
-
MD5
957e2bbc9f7ee3830a56672b11250ee9
-
SHA1
81ad26a50bb036c2d2f784a370b473da81410fd4
-
SHA256
59702f378c665fedd87d3d98d652e83ba72b8c028fe5aef44233d83e009b123d
-
SHA512
f807f3a24b48c858d767ba05c5c1549a75475ff01589bc6bf7bf9b9da968fac020c7dd3ac475a7074732fc37c56e6ffc148eb168d9278d2b15ea71220a31d5f2
-
SSDEEP
6144:7vbx8Gv1pFM7UipZAViHo6YsU5Fi91EzGHsZUa:7Xv1Y7UUZAVj6JUbigGHct
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 580 9it8pVghqTUntd.exe -
Executes dropped EXE 2 IoCs
pid Process 2784 9it8pVghqTUntd.exe 580 9it8pVghqTUntd.exe -
Loads dropped DLL 5 IoCs
pid Process 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 2784 9it8pVghqTUntd.exe 580 9it8pVghqTUntd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZFJDJU5GITpq = "C:\\ProgramData\\5KcZLVE45lRShKjQ\\9it8pVghqTUntd.exe" 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1984 set thread context of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 2784 set thread context of 580 2784 9it8pVghqTUntd.exe 32 PID 580 set thread context of 2932 580 9it8pVghqTUntd.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9it8pVghqTUntd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9it8pVghqTUntd.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 1984 wrote to memory of 380 1984 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 30 PID 380 wrote to memory of 2784 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 31 PID 380 wrote to memory of 2784 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 31 PID 380 wrote to memory of 2784 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 31 PID 380 wrote to memory of 2784 380 957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe 31 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 2784 wrote to memory of 580 2784 9it8pVghqTUntd.exe 32 PID 580 wrote to memory of 1872 580 9it8pVghqTUntd.exe 33 PID 580 wrote to memory of 1872 580 9it8pVghqTUntd.exe 33 PID 580 wrote to memory of 1872 580 9it8pVghqTUntd.exe 33 PID 580 wrote to memory of 1872 580 9it8pVghqTUntd.exe 33 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34 PID 580 wrote to memory of 2932 580 9it8pVghqTUntd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\957e2bbc9f7ee3830a56672b11250ee9_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380 -
C:\ProgramData\5KcZLVE45lRShKjQ\9it8pVghqTUntd.exe"C:\ProgramData\5KcZLVE45lRShKjQ\9it8pVghqTUntd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\ProgramData\5KcZLVE45lRShKjQ\9it8pVghqTUntd.exe"C:\ProgramData\5KcZLVE45lRShKjQ\9it8pVghqTUntd.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /i:5805⤵PID:1872
-
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe" /i:5805⤵PID:2932
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD55dd33a0a117cc0b406db0db1a96abc73
SHA1838d76f7fd03f4d02f3fa7c2e5c3441aef4920a0
SHA2566c7d4501ae0ff167792f0e70d9a69f41dff6a052754cacca82af8913927bfa14
SHA512e56ab47619f2ceb51984899bc4a12884bcf39d93aa7898f7be6131994350af4d7b32d20310c2d97a9cc1eed3791fc037f328a040101adca81d0cea55731fef1a
-
Filesize
356KB
MD5957e2bbc9f7ee3830a56672b11250ee9
SHA181ad26a50bb036c2d2f784a370b473da81410fd4
SHA25659702f378c665fedd87d3d98d652e83ba72b8c028fe5aef44233d83e009b123d
SHA512f807f3a24b48c858d767ba05c5c1549a75475ff01589bc6bf7bf9b9da968fac020c7dd3ac475a7074732fc37c56e6ffc148eb168d9278d2b15ea71220a31d5f2