Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe
-
Size
383KB
-
MD5
b82d1cff5aa85ebd804d927d80497198
-
SHA1
fbedddc09a4289f7e71234a34994523d19dee6c5
-
SHA256
bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c
-
SHA512
44f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a
-
SSDEEP
6144:oo/MZP+H/3L56PEUzduvxw3gy8nQ7I2ToIk4ou1zCIufyRd1mJJ4HdRpyjsZ8Bz7:pE2HDGUvnu4You1nLRrY27pp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2980 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 ddgop.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ddgop.exe b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe File opened for modification C:\Windows\ddgop.exe b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe File created C:\Windows\wninstal.bat b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2056 3040 ddgop.exe 32 PID 3040 wrote to memory of 2056 3040 ddgop.exe 32 PID 3040 wrote to memory of 2056 3040 ddgop.exe 32 PID 3040 wrote to memory of 2056 3040 ddgop.exe 32 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33 PID 3032 wrote to memory of 2980 3032 b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b82d1cff5aa85ebd804d927d80497198_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\wninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\ddgop.exeC:\Windows\ddgop.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD5b82d1cff5aa85ebd804d927d80497198
SHA1fbedddc09a4289f7e71234a34994523d19dee6c5
SHA256bf6701b1b532beb1c319bad6e58060546a0d3a5ec3e37e614d1044783337199c
SHA51244f757b8b352f39bcc1b72f324a15a0e823f1f6d77554a9060a05e3bdc8824452a1cc38e099fd2b73132bcd4264c04117be5f27ec85e271ad6ed69e1d788864a
-
Filesize
218B
MD5343b12223d2e03162a5334cce0a79d43
SHA1f6c83adf3109dad858627b885b10bdea3822cdd1
SHA25602af40c65ae92b280154b63e719af157aa27e475ddac5d9c66e912c49d6ce39c
SHA512ac47008f9caa4f1d0cda934c6a6014e5a0054d215d32107980e6b1d2d583d26ce6031a051b61e31959d90af0533036a98724016ed6b10a2e66bd921c39ce7be5