Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
bd79defe4e98b1daa53e815456b0fcfb
-
SHA1
b90fc77d5d171181487f7ea8a0aa88d0a0702d92
-
SHA256
ac8f52671bfb89fe4eaddeb7dffb471205d4dfc88ee3b64efb349027959382e7
-
SHA512
854161c715633ad6b37f2e20673dc8695fc671fba4348a62c11b38ecf5fe7207876ea1430fc6d9722fd6125321c8efd02b5ecd5d06d7da93a046f199bc955ab2
-
SSDEEP
1536:rWW9hZZ+PVGdm9Rb7HDlcDw/sH3lVQ3poAr/kNkFlZBFTcJa:rLpYN4m9LcDw+qqAr/kNAluJa
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2688 Explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 Explorer.exe 2752 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2372 bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe 2688 Explorer.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Ekdndbtkyo\Path.rcd bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe File created C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Ekdndbtkyo\17696 Explorer.exe File opened for modification C:\Program Files (x86)\Ekdndbtkyo\19251 Explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe 2688 Explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2688 2372 bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2688 2372 bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2688 2372 bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe 31 PID 2372 wrote to memory of 2688 2372 bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe 31 PID 2688 wrote to memory of 2752 2688 Explorer.exe 32 PID 2688 wrote to memory of 2752 2688 Explorer.exe 32 PID 2688 wrote to memory of 2752 2688 Explorer.exe 32 PID 2688 wrote to memory of 2752 2688 Explorer.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd79defe4e98b1daa53e815456b0fcfb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Dtjqmk Doskkpav\Explorer.exe.2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files (x86)\Dtjqmk Doskkpav\explorer.exeexplorer.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD569c97278ab9e590932fef729f038b151
SHA1076048304500a16cc37dbd8e3d4c42fbc3364ba3
SHA25689287807eae136d2f00851331e45598287993adfccff325e9251f7107fb93ac6
SHA5128d822d479fa2dff6f77153f3d4ae0efd65e44c0ef768b074d49549e685adcae8ca75c58dab5d4b45558fa65f9a21cd302b73fba12cc7ee5c1db1f71a382c7906
-
Filesize
260B
MD51e2b8dbe12dd2ffa8619fe195a8fb629
SHA1ee44098ec9203129381876786355d6436b54a2d7
SHA256edd0202904aa592425636fe529a845edc43bdbc7e7e374952164a69d0416e3f6
SHA512ff7cb4b44941a993c1684448ff08c1bd118cbda09ce67cae9a5d4a1d92221a8382c56dba94f1070856242de33fb1edb531933c11ac7dbbe33e207d770c58107a
-
Filesize
6.3MB
MD5a7c5fa91e4da9e5acb99e99698426d63
SHA152ece00b96e727fa84771b2a25ee97a1f91f64e4
SHA256523ae3f6a850d758f8c21f21bdab973663b9d496f43cd83565b5f5bc62c4fab0
SHA512e39ad9edfa00bc7fb8db681e8be78db4964f8ba908c8a64d22d1fa07fe2940414322f0afdc94343fce4c31ff8c264c7c25d24b8c282d31e4a2f15aa8d84f3ca3