Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 02:13
Static task
static1
Behavioral task
behavioral1
Sample
b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe
-
Size
64KB
-
MD5
b9f73cd1ea5fd1d485c7e3a3d0873c08
-
SHA1
83f67cd5bd33dadf12bb4dfc3c9afc21d925cc9a
-
SHA256
c7c077976ad3339b98e9346c33232e64135b9a6a36c7f084c781977b8569bf49
-
SHA512
bec6ed0b82b403148c8b11da476ea44a7594c8c31ea35a91e75b8d31f5333a49a60ccb4526d26fe3cadc85ec89e55e150ee92953a8f6da5f764f695b1ec5c1de
-
SSDEEP
1536:uzoTLHgIIvy4pXBCwl6K1YiC0OfBPy4BFNV4LM:XTLHVlQXBxhWly0F0LM
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2320 svcchosst.exe 2892 svcchosst.exe 2764 svcchosst.exe 2608 svcchosst.exe 860 svcchosst.exe 1784 svcchosst.exe 1512 svcchosst.exe 2584 svcchosst.exe 1956 svcchosst.exe 948 svcchosst.exe -
Loads dropped DLL 20 IoCs
pid Process 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 2320 svcchosst.exe 2320 svcchosst.exe 2892 svcchosst.exe 2892 svcchosst.exe 2764 svcchosst.exe 2764 svcchosst.exe 2608 svcchosst.exe 2608 svcchosst.exe 860 svcchosst.exe 860 svcchosst.exe 1784 svcchosst.exe 1784 svcchosst.exe 1512 svcchosst.exe 1512 svcchosst.exe 2584 svcchosst.exe 2584 svcchosst.exe 1956 svcchosst.exe 1956 svcchosst.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2320 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2320 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2320 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 30 PID 2680 wrote to memory of 2320 2680 b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe 30 PID 2320 wrote to memory of 2892 2320 svcchosst.exe 32 PID 2320 wrote to memory of 2892 2320 svcchosst.exe 32 PID 2320 wrote to memory of 2892 2320 svcchosst.exe 32 PID 2320 wrote to memory of 2892 2320 svcchosst.exe 32 PID 2892 wrote to memory of 2764 2892 svcchosst.exe 33 PID 2892 wrote to memory of 2764 2892 svcchosst.exe 33 PID 2892 wrote to memory of 2764 2892 svcchosst.exe 33 PID 2892 wrote to memory of 2764 2892 svcchosst.exe 33 PID 2764 wrote to memory of 2608 2764 svcchosst.exe 34 PID 2764 wrote to memory of 2608 2764 svcchosst.exe 34 PID 2764 wrote to memory of 2608 2764 svcchosst.exe 34 PID 2764 wrote to memory of 2608 2764 svcchosst.exe 34 PID 2608 wrote to memory of 860 2608 svcchosst.exe 35 PID 2608 wrote to memory of 860 2608 svcchosst.exe 35 PID 2608 wrote to memory of 860 2608 svcchosst.exe 35 PID 2608 wrote to memory of 860 2608 svcchosst.exe 35 PID 860 wrote to memory of 1784 860 svcchosst.exe 36 PID 860 wrote to memory of 1784 860 svcchosst.exe 36 PID 860 wrote to memory of 1784 860 svcchosst.exe 36 PID 860 wrote to memory of 1784 860 svcchosst.exe 36 PID 1784 wrote to memory of 1512 1784 svcchosst.exe 37 PID 1784 wrote to memory of 1512 1784 svcchosst.exe 37 PID 1784 wrote to memory of 1512 1784 svcchosst.exe 37 PID 1784 wrote to memory of 1512 1784 svcchosst.exe 37 PID 1512 wrote to memory of 2584 1512 svcchosst.exe 38 PID 1512 wrote to memory of 2584 1512 svcchosst.exe 38 PID 1512 wrote to memory of 2584 1512 svcchosst.exe 38 PID 1512 wrote to memory of 2584 1512 svcchosst.exe 38 PID 2584 wrote to memory of 1956 2584 svcchosst.exe 39 PID 2584 wrote to memory of 1956 2584 svcchosst.exe 39 PID 2584 wrote to memory of 1956 2584 svcchosst.exe 39 PID 2584 wrote to memory of 1956 2584 svcchosst.exe 39 PID 1956 wrote to memory of 948 1956 svcchosst.exe 40 PID 1956 wrote to memory of 948 1956 svcchosst.exe 40 PID 1956 wrote to memory of 948 1956 svcchosst.exe 40 PID 1956 wrote to memory of 948 1956 svcchosst.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Users\Admin\AppData\Local\Temp\b9f73cd1ea5fd1d485c7e3a3d0873c08_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 516 "C:\Windows\SysWOW64\svcchosst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 508 "C:\Windows\SysWOW64\svcchosst.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 512 "C:\Windows\SysWOW64\svcchosst.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 520 "C:\Windows\SysWOW64\svcchosst.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 524 "C:\Windows\SysWOW64\svcchosst.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 528 "C:\Windows\SysWOW64\svcchosst.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 532 "C:\Windows\SysWOW64\svcchosst.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 544 "C:\Windows\SysWOW64\svcchosst.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 536 "C:\Windows\SysWOW64\svcchosst.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:948
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b9f73cd1ea5fd1d485c7e3a3d0873c08
SHA183f67cd5bd33dadf12bb4dfc3c9afc21d925cc9a
SHA256c7c077976ad3339b98e9346c33232e64135b9a6a36c7f084c781977b8569bf49
SHA512bec6ed0b82b403148c8b11da476ea44a7594c8c31ea35a91e75b8d31f5333a49a60ccb4526d26fe3cadc85ec89e55e150ee92953a8f6da5f764f695b1ec5c1de