Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe
-
Size
9KB
-
MD5
bf99bd02663cf41ebca939228361a510
-
SHA1
decd84f279d896ecb077ed364192c369d1fa70a5
-
SHA256
8d02a8dc22fb90f5ae20f9b2147ca14b5f06a5c6ee80a458c5ca066c7087712d
-
SHA512
b8d39137aba1aeb24fc971f2cb21b072ebad38a02fb1dffc6d7709bb21c69d9cf7a7d692af65cb5a8082b93f929abeb075147c4e11fe0bf129355f69411a0e97
-
SSDEEP
192:sjfO4JtTSaX7T/bOvP2hOXEqMcmCoxN2OyzvoXcnUL5ad:sjxJ11nbKPzycmCoYToXcnUl0
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\midimapjr = "{4F4F0064-71E0-4f0d-0012-708476C7815F}" bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\midimapjr.tmp bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\midimapjr.dat bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe File created C:\Windows\SysWOW64\midimapjr.tmp bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ = "C:\\Windows\\SysWow64\\midimapjr.dll" bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ThreadingModel = "Apartment" bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F} bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2316 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2316 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe 31 PID 2272 wrote to memory of 2316 2272 bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bf99bd02663cf41ebca939228361a510_JaffaCakes118.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\D182.tmp.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5283b7c9132034dbd8a668c231092e34f
SHA19c8250c422e1c9b14d6e9282d3efd60070f59642
SHA256c2fe98aa287ac29483d2c26a100f14885125ec08458ae1a80d1035e0ba1721e1
SHA51290ddeb34976023fe5f653df6d72c10368819736fefc2f755db0882913fe1493791aae91ac7b612517aea969293eab9f8ff1f4b8bda9db5188bcac6d90b19cc53
-
Filesize
1.0MB
MD5672dfa6ddf88b45ce86233ff01d5bd7d
SHA14911d14955df8b1f9a27038522c73d3c802324ea
SHA2560621a750bb1d157a3cc5a64c37503466624369080121268168531b7a3655dd2f
SHA512d19a448cde8ac6e426b0a9cc1712c30da1d21f28f6bb13078ed8812c93ebb446c1978c81073eac2d768c72de218f834f08ff9007b63eed2125f67bc2fdc4a8f0