Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe
-
Size
126KB
-
MD5
c1473cc42376ef4f3416688bb7b53874
-
SHA1
d669a9555f576011a15068f61bf884810c572de9
-
SHA256
cca90e1ff60bebc6f99d2d3aaa8f29851a6f0180a384f3423f260e0201f4c626
-
SHA512
5cf3b7968369d4999020ce1d7e8e0d2a77d187438e971383f74f9cb29ef319a0ccaf41d1459e3e65de94bc5667d099d859e68c9d6a54c5eac2ac060f291025f0
-
SSDEEP
3072:WMgV7+zo+r0UeGTUnvSD+DGF9O2Zu34/IU82J+bxFM4:rh4UeGTSvAs20ejBJ2jM4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2480 princ.exe 2952 princ.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Monitor Process = "princ.exe" princ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Security Monitor Process = "princ.exe" princ.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2504 set thread context of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2480 set thread context of 2952 2480 princ.exe 32 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\princ.exe c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe File opened for modification C:\Windows\princ.exe c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language princ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language princ.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2504 wrote to memory of 2104 2504 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2480 2104 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2480 2104 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2480 2104 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 31 PID 2104 wrote to memory of 2480 2104 c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe 31 PID 2480 wrote to memory of 2952 2480 princ.exe 32 PID 2480 wrote to memory of 2952 2480 princ.exe 32 PID 2480 wrote to memory of 2952 2480 princ.exe 32 PID 2480 wrote to memory of 2952 2480 princ.exe 32 PID 2480 wrote to memory of 2952 2480 princ.exe 32 PID 2480 wrote to memory of 2952 2480 princ.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\princ.exeC:\Windows\princ.exe 464 "C:\Users\Admin\AppData\Local\Temp\c1473cc42376ef4f3416688bb7b53874_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\princ.exeC:\Windows\princ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5c1473cc42376ef4f3416688bb7b53874
SHA1d669a9555f576011a15068f61bf884810c572de9
SHA256cca90e1ff60bebc6f99d2d3aaa8f29851a6f0180a384f3423f260e0201f4c626
SHA5125cf3b7968369d4999020ce1d7e8e0d2a77d187438e971383f74f9cb29ef319a0ccaf41d1459e3e65de94bc5667d099d859e68c9d6a54c5eac2ac060f291025f0