Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
-
Size
348KB
-
MD5
b06eed81f84cb14877870a084249dd7c
-
SHA1
c1899cd96b5cb62a3245ffd8f1a7e2583af044c7
-
SHA256
4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe
-
SHA512
b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3
-
SSDEEP
6144:jlt0FBuElqMfzP+qVoEw8vApAWjg/qQYdpsh8I1lfJCpN53KhpKVH/5B2BLyOSMK:xKaExfr+qVrwYApTgXYw88fwupqfM+
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2700 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 Svghost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_Svghost.exe Svghost.exe File opened for modification C:\Windows\SysWOW64\_Svghost.exe Svghost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 2736 2212 Svghost.exe 30 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Delet.bat b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe File created C:\Windows\Svghost.exe b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe File opened for modification C:\Windows\Svghost.exe b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2836 2212 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svghost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2212 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 29 PID 2452 wrote to memory of 2212 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 29 PID 2452 wrote to memory of 2212 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 29 PID 2452 wrote to memory of 2212 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2736 2212 Svghost.exe 30 PID 2212 wrote to memory of 2836 2212 Svghost.exe 31 PID 2212 wrote to memory of 2836 2212 Svghost.exe 31 PID 2212 wrote to memory of 2836 2212 Svghost.exe 31 PID 2212 wrote to memory of 2836 2212 Svghost.exe 31 PID 2452 wrote to memory of 2700 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 32 PID 2452 wrote to memory of 2700 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 32 PID 2452 wrote to memory of 2700 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 32 PID 2452 wrote to memory of 2700 2452 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\Svghost.exeC:\Windows\Svghost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 3003⤵
- Program crash
PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Delet.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD58c844080436bf4513b773e434d067278
SHA1371fcefe7b168ae2666992276fa413b0d6068c0e
SHA256ea4df1a75c60896077884a21389a6757af9bcf963cf0ccfee6f68f513d348a8c
SHA51222eb8009dc761a94d64a79bc43d9f675ab0c4d864884823bc51fb913ec1e2e33f708d6864556e272fb227065ab355f1e8d230969b3cd1723254bdd5575c664db
-
Filesize
348KB
MD5b06eed81f84cb14877870a084249dd7c
SHA1c1899cd96b5cb62a3245ffd8f1a7e2583af044c7
SHA2564f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe
SHA512b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3