Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
b5b1d763703c33438c101d5e1bf6d09c
-
SHA1
199e28b5e26a679abd193ffc215f9fbd5c8062aa
-
SHA256
0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367
-
SHA512
44a3290d6c935276da2c7285980a2027df76a7c9b78fe3afb049a6abdb39729f6bf259646698b46bf56485742fcbcbd0556b06c3085d092a272573282093c1ec
-
SSDEEP
24576:UjxJRkKup3nSivnVM2EgFurReZLX23nHxNawI7JRgRRczuf1van6gG/9Kwfmwk:0ivV5iWLXwnzEyqzkExw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2156 win32.exe -
Loads dropped DLL 6 IoCs
pid Process 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe 3012 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI93.exe\"" b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2076 set thread context of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 3012 2156 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2156 2076 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 30 PID 2156 wrote to memory of 3012 2156 win32.exe 31 PID 2156 wrote to memory of 3012 2156 win32.exe 31 PID 2156 wrote to memory of 3012 2156 win32.exe 31 PID 2156 wrote to memory of 3012 2156 win32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 963⤵
- Loads dropped DLL
- Program crash
PID:3012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55e5ecae8b08152c885904cde71c50dad
SHA1727f24d102ab29be690c783ddc149b3a39430fb6
SHA256b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541
SHA512dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea