Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 06:38
Behavioral task
behavioral1
Sample
a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe
-
Size
29KB
-
MD5
a9f9a3ab3499b2203ca028caf91b4f4a
-
SHA1
aadfa40c05fd8f92621c24cfc40d49bd7a88bacb
-
SHA256
1e9db2717a0ab6c7eda0289f7f35528453582bd56c030878af78db2d69982e1c
-
SHA512
090cf51806219deab2ee768c0a88d0ef1cf48c9a474cefca6cfc8b10ab78e9f23c761658ecd5b871c691428fa86b4091ea94cd8bea839c539bc80ce2440bdcb2
-
SSDEEP
384:WgXAuYWrdqWynuRAF58RmcbQOPktcyH6aGlPZtVfgE:rYWrdWnoAF589bQXtTGl9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 532 qa7ho15js.exe -
Loads dropped DLL 2 IoCs
pid Process 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2412-0-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/files/0x000f000000012782-7.dat upx behavioral1/memory/532-14-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\LvbdhfngnPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qa7ho15js.exe" qa7ho15js.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LvbdhfngnPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qa7ho15js.exe" qa7ho15js.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qa7ho15js.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 532 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe 31 PID 2412 wrote to memory of 532 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe 31 PID 2412 wrote to memory of 532 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe 31 PID 2412 wrote to memory of 532 2412 a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9f9a3ab3499b2203ca028caf91b4f4a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\qa7ho15js.exeC:\Users\Admin\AppData\Local\Temp\qa7ho15js.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5360e20402a8c96de98fa6b0acac14ff2
SHA1f676c322657486a6b63bc36a17826a9b944dfd6e
SHA2562e40842831bb87e364915d49c0be40b1caa2a1d240acbe9aaf8fbef9ee6c8562
SHA512ebc5b8335fa6c93c15334b7e28ad7cb1d8296e0e0e1725ec857aa033192b2b81a649e2ed6d80bd20b3e81113ad1b1f3223b3ad2217c3fad5212dbcc0b01236f2