Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 14:35
Behavioral task
behavioral1
Sample
af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe
-
Size
500KB
-
MD5
af9b49382fd1ea3aa712c56aad185e93
-
SHA1
c3d600c76d232799d429b4626edc5f886f2bd2d3
-
SHA256
d8c412ae42dea69fdce6a80c697bc15b6c1e246565f4af1964e0f9e3a1004074
-
SHA512
63d14399aa66cc53a308be9d244706c2df7aec09d1d5427981ddb8b078f48fea20d77b147c4862fb3c88b386cc93635abe3f807d0ec9f7d573288b3ff2a908e7
-
SSDEEP
12288:wgYawyT9ee45i16+8GrkroHg3YS/XgMvizOvLdoTRY:rYN3e4g1v8tEHLS/XbiKLuV
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2144 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2268-0-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2268-8-0x0000000000400000-0x000000000048C000-memory.dmp upx behavioral1/memory/2268-18-0x0000000001C90000-0x0000000001D1C000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2268 set thread context of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2144 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2144 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29 PID 2268 wrote to memory of 2144 2268 af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af9b49382fd1ea3aa712c56aad185e93_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD578bd7f85d17bf25377d895cda042e663
SHA17a2997106287c763bc898e4fd7d516145dc2539b
SHA2561c888945ca459fd4d8c0ee2f8df2bfd9c4dadac72c3bcf3238d862e8f67acd25
SHA512a06206356f7b378c1958d441944691ef4036c9a68963abb51b62e03c4582d8932051daf82468b29b31493b5479808351bf6286eb36cc4bf299ebabe6bcc67ea3