Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 16:46
Static task
static1
Behavioral task
behavioral1
Sample
bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe
-
Size
86KB
-
MD5
bc889dcdb34831817a9c3a6a23953da6
-
SHA1
2c2fe6ef9440698d4172078a63514a2fcef01f99
-
SHA256
d6cded65eb7a451c6431e37f84dd154b22e22c51cbb2961680536b8e50f2d1af
-
SHA512
2d410c31210d53a736295cf836aee4b9caa133ad55e03fc144c4b75894c8e1ec89943cdc3d50e7fc10618f98811491154766099e87eb4ffa0bb8daa6234f4f00
-
SSDEEP
1536:j5GJEhlcbW5sk19lfLvbeIbXWm+nwN6JOs5ga3R6mQD0tbS7rsgAQG917oOthTdA:tGu99lfzqIbXWm+w0Jn5J3RSwgkP7w
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2904 6.exe 18516 6.exe -
Loads dropped DLL 3 IoCs
pid Process 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 2904 6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2904 set thread context of 18516 2904 6.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2904 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2904 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2904 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2904 1960 bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe 30 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31 PID 2904 wrote to memory of 18516 2904 6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc889dcdb34831817a9c3a6a23953da6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:18516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5f2fcf86fa157406e5db4d7ecb29b442e
SHA1d6567f140c99280f2a0abfad2625bac4b0f0fc84
SHA2562012e72b321d8b272617226ad5c9e5e2e20af8412e38d4cd51b67f68c591858a
SHA51258f54bb1bcbb289cc1961bd33774f017b52145640e489ee47bdda9a41c202e4f8252bbee28a16d0f99c92a18c97ad2631cc6bf045fbb512ac4e193f4006a3a56