Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe
-
Size
5.4MB
-
MD5
c08c4e432b1e91dd7d2eabd375d52249
-
SHA1
8b3590da0ec16f4c21de4e36c847ade1aa9461f3
-
SHA256
1969f0a523637fbeba837e4c831172815325f7eb1b7998b4bc20a63ce625166d
-
SHA512
b3eab01de414ce3e522f4bc255cf7b29aa1a992353fbae97c331419c4968d0b1fe414d9b4fecf482d91c687cdcb99ad63bb086b0770f3b5e69aedbc82e638da9
-
SSDEEP
24576:LXkpCNzgduJNQmn2ugeZAQbFT4B96NlpRruKc4wqXjFM5Uc1p8k2:LXJqcQRUAQkmuzjTI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2508 netview.exe 2936 360Safe.exe -
Loads dropped DLL 4 IoCs
pid Process 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 2508 netview.exe 2508 netview.exe 2508 netview.exe -
resource yara_rule behavioral1/files/0x0008000000016ed2-7.dat upx behavioral1/memory/2508-9-0x0000000010000000-0x000000001000A000-memory.dmp upx behavioral1/files/0x0009000000012281-16.dat upx behavioral1/memory/2508-15-0x0000000003310000-0x000000000346F000-memory.dmp upx behavioral1/memory/2936-17-0x0000000000400000-0x000000000055E400-memory.dmp upx behavioral1/memory/2508-14-0x0000000010000000-0x000000001000A000-memory.dmp upx behavioral1/memory/2936-20-0x0000000000400000-0x000000000055E400-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellRun = "C:\\Users\\Admin\\Documents\\netview.exe" netview.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360Safe.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2508 netview.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2508 netview.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2508 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 31 PID 3056 wrote to memory of 2508 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 31 PID 3056 wrote to memory of 2508 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 31 PID 3056 wrote to memory of 2508 3056 c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe 31 PID 2508 wrote to memory of 2936 2508 netview.exe 32 PID 2508 wrote to memory of 2936 2508 netview.exe 32 PID 2508 wrote to memory of 2936 2508 netview.exe 32 PID 2508 wrote to memory of 2936 2508 netview.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c08c4e432b1e91dd7d2eabd375d52249_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\Documents\netview.exeC:\Users\Admin\Documents\\netview.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\Documents\360Safe.exeC:\Users\Admin\Documents\360Safe.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD54d02e7c44a780042444eb61e2b4ebd17
SHA13bcdac35f082f1f37a78db85a73c4b51fc7ae450
SHA256c9f9483bc864e318767c932393dd7bc42c342d3c76694bd0424f6ff7f0e2904f
SHA5120a0bec282654d30a5742d60f2de823a1109163cb90ba8c9cf36b7c60bfdea6a0a6d4668372ed7e7e07d8731ae10c32c20d53dc3a81c8101b7a300cdcf9d51dd3
-
Filesize
4.8MB
MD5e3ce6845d6b42f44e0e0d11853deb67e
SHA17d500b8086ba6acef116d079be28c7dc41551628
SHA256302f6a2917be8582898b8644e86315cb8e97211b846e589bfa00f3ac11e182dc
SHA51286cb01c74181f3a37d9231031dda7ed0a7701b43a11e0e107b7aecafe2e1fee26655de089af9b8b554ff82a812063cc94ebd32acb3b1a1fa894c2041d01e0369
-
Filesize
361KB
MD5acf082455a5294a6138f7ed97fdddcc9
SHA15a8af8350238af48f54a868d9d397b902218c982
SHA2561a13f9ce9ed3717fef71392ecc5e4f1de9100985f77dea247548651e543f236e
SHA5120059ba46eb11981a5cda5b71cfdf7d6bc3e22df1d0aba8d32bc11c118c61302fe3951df6ec700d353a507202b013da368eb88abdf066b2bd39f2be6af98d4106