Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe
-
Size
581KB
-
MD5
bd90527a6304966f207aef5eaae4afc4
-
SHA1
0662230505770c9e0cfe3dbbb3503582c0406849
-
SHA256
0ac953d9759d3df8934cfd15e86faa4e224bd00597fd4a100240c48af2323ad0
-
SHA512
7ca5ba5daf16cba8fac5f709bce10e701dc1d1bcd7d2fb89eab751c5a3d7d3fad1849575ed2b62f60969919d9bbaea1aea856bcc6c9707a1ed6d4d440167b6af
-
SSDEEP
12288:dSgDXo7JnfII49PY26m5rfqJG2Sl1cY8uXDj/C+39b:dpDY7FI99PD66WE7OiDzB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2516 msiexec16.exe -
Loads dropped DLL 6 IoCs
pid Process 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\mpldfg.exe bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\mpldfg.exe bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec16.exe bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2256 2516 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec16.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 2516 msiexec16.exe 2516 msiexec16.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe Token: SeDebugPrivilege 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2516 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2516 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2516 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 29 PID 3040 wrote to memory of 2516 3040 bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe 29 PID 2516 wrote to memory of 2256 2516 msiexec16.exe 30 PID 2516 wrote to memory of 2256 2516 msiexec16.exe 30 PID 2516 wrote to memory of 2256 2516 msiexec16.exe 30 PID 2516 wrote to memory of 2256 2516 msiexec16.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd90527a6304966f207aef5eaae4afc4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\windows\SysWOW64\msiexec16.exe"c:\windows\system32\msiexec16.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 923⤵
- Loads dropped DLL
- Program crash
PID:2256
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581KB
MD5bd90527a6304966f207aef5eaae4afc4
SHA10662230505770c9e0cfe3dbbb3503582c0406849
SHA2560ac953d9759d3df8934cfd15e86faa4e224bd00597fd4a100240c48af2323ad0
SHA5127ca5ba5daf16cba8fac5f709bce10e701dc1d1bcd7d2fb89eab751c5a3d7d3fad1849575ed2b62f60969919d9bbaea1aea856bcc6c9707a1ed6d4d440167b6af