Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 06:06
Behavioral task
behavioral1
Sample
b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe
-
Size
403KB
-
MD5
b25bfb1a934a87e7a4c507a913309230
-
SHA1
b69115304882c063973cc63dfd38d63291977df2
-
SHA256
cf47ed4ad574d5795013ffd6192447854ce56e68fa12983a8f285e1656087892
-
SHA512
8cbe20eb559da5f174e8eb700a8e361fd94a42dee71b7f908f5b63a9d99a7e14a6b15e1a4d20da5709dc2d30de1071485b47392954a99e79fe62bd09a549a2d2
-
SSDEEP
6144:1Ey+E5CZfR0o+Ht1TvtOKlNHi1jbhlI6/PbkS3jlua5ZkfgUzLNK9PGRV:2DE5Cdyo+Ht1TvYKTHGn3vua7kfgPOn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1240 Orekoa.exe -
resource yara_rule behavioral1/memory/2972-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2972-9-0x0000000002290000-0x00000000022F6000-memory.dmp upx behavioral1/files/0x0007000000016d92-12.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4RBPZMXX4S = "C:\\Windows\\Orekoa.exe" Orekoa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Orekoa.exe b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File opened for modification C:\Windows\Orekoa.exe b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Orekoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main Orekoa.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe 1240 Orekoa.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2972 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 1240 Orekoa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1240 2972 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 31 PID 2972 wrote to memory of 1240 2972 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 31 PID 2972 wrote to memory of 1240 2972 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 31 PID 2972 wrote to memory of 1240 2972 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\Orekoa.exeC:\Windows\Orekoa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD5b25bfb1a934a87e7a4c507a913309230
SHA1b69115304882c063973cc63dfd38d63291977df2
SHA256cf47ed4ad574d5795013ffd6192447854ce56e68fa12983a8f285e1656087892
SHA5128cbe20eb559da5f174e8eb700a8e361fd94a42dee71b7f908f5b63a9d99a7e14a6b15e1a4d20da5709dc2d30de1071485b47392954a99e79fe62bd09a549a2d2
-
Filesize
372B
MD57303acdacc9764aa9f3eb2efaafa4241
SHA136b804de92b784e023d5e037c3ed33e92ab1ad97
SHA2567f874abb573b43d13a45d26c2cd6d64c304173a79f9b22ab3decfb01b12879f3
SHA512b15534e89592fc4e75a3d4ec26545b7f7b7a2991b14e39d50049984b5ee9bdecf26d0228d2c4ae01d49439f0d83ce1364231b6a53c1bf50a2126b1f4c624d8b5