Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 08:39
Static task
static1
Behavioral task
behavioral1
Sample
be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe
-
Size
4KB
-
MD5
be3d0f7adf5087be97f3d1bc7e6f8354
-
SHA1
95be89e38bb8f2a116e3e65f91722d544b284bc3
-
SHA256
397542e21e11a1520823603525e7fb90cf2f0bcae852f4918426171ca51e8ecc
-
SHA512
fd100983ce2a55a5b10685c900ba087e61c8cb9a2325f592f0d605a09d081f878bc0334b8de34ca25d2aa5d40b589964f3be070ae31c8dc280007f2d3f0d19e3
-
SSDEEP
96:1eSxHcQ/cGt/ilQasMPqxyEHWtQTW8Y1QGrXHzxBHj:1eAcu3t/ilFsMcCQTzYeGr3lBHj
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Run Manager - Critical = "C:\\Windows\\syss32.exe" be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\syss32.exe be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe File opened for modification C:\Windows\syss32.exe be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3044 2468 be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3044 2468 be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3044 2468 be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe 31 PID 2468 wrote to memory of 3044 2468 be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2120 3044 cmd.exe 33 PID 3044 wrote to memory of 2120 3044 cmd.exe 33 PID 3044 wrote to memory of 2120 3044 cmd.exe 33 PID 3044 wrote to memory of 2120 3044 cmd.exe 33 PID 2120 wrote to memory of 3056 2120 net.exe 34 PID 2120 wrote to memory of 3056 2120 net.exe 34 PID 2120 wrote to memory of 3056 2120 net.exe 34 PID 2120 wrote to memory of 3056 2120 net.exe 34 PID 3044 wrote to memory of 3036 3044 cmd.exe 35 PID 3044 wrote to memory of 3036 3044 cmd.exe 35 PID 3044 wrote to memory of 3036 3044 cmd.exe 35 PID 3044 wrote to memory of 3036 3044 cmd.exe 35 PID 3036 wrote to memory of 2656 3036 net.exe 36 PID 3036 wrote to memory of 2656 3036 net.exe 36 PID 3036 wrote to memory of 2656 3036 net.exe 36 PID 3036 wrote to memory of 2656 3036 net.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be3d0f7adf5087be97f3d1bc7e6f8354_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\a.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD554c5a3f8e67b4add94564995efafc47c
SHA162a1a7fce465a87422822082e4e4d931edbf29e3
SHA256ad84bd1bd5b9768f6c42e3850b51107caa92cdaf4bbc73faaca782557df99518
SHA5128997f99b07766d8a79b72100119310dcc0d3fee0b2fe96d6eebc4ddd1c6daf25281e1db51628a19e51d95cff858b4573720b959505213887dae8a3ccc12873c8