Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe
-
Size
659KB
-
MD5
ad6700c445a71ef5d49306020b68b4bd
-
SHA1
13c1d42fe08bb73c7dc9803f465948d795dec024
-
SHA256
504370bff5d32211958f4b1af65a7e50730fafdf22755a7a705f7835220557e6
-
SHA512
a2fa42061200206d214640fbcfc4f2658cb09a8a35c8159db617629fd9cf2e0428b8bf8bbc3d13ae28d93d6d3d055a8632c8489907070813e44c5fd2816b3040
-
SSDEEP
12288:zmKx0QHdkSK8OzIM3LijOAu4Q097IAcP3L+mlRnIX3H3fTkv:zmnKkiiGjOA197IAcPLlRn6Hwv
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe" ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCachead6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe" ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2872 3064 ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2872 3064 ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2872 3064 ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2872 3064 ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad6700c445a71ef5d49306020b68b4bd_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:2872
-