Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 07:47
Static task
static1
Behavioral task
behavioral1
Sample
c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe
-
Size
4.0MB
-
MD5
c290972218030f7f540eba7bd91cdbb9
-
SHA1
ae8337650eeeee02350533d65d2e145045f15193
-
SHA256
156cb3c66fe19179f109c0e43ce0c69f046e85d5bb01b13ce9800598591b1edf
-
SHA512
5e9cf0373fce8ebd3df52c0647291155b064a4376dffc07bdc9e57f888f4c5b6474e654cf954d57cfa14b96df468330ef1ea397ac2a8b7583068222b58a8b060
-
SSDEEP
98304:kkj5M5oYaD5xIpG/+w/dFzljFAreh5LcQAVXvNNrozeEOvyq:k++5oKpG/jdNljC2LQXlNthqq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1976 Actualizar.exe -
Loads dropped DLL 5 IoCs
pid Process 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Actualizar.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1976 Actualizar.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31 PID 1488 wrote to memory of 1976 1488 c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c290972218030f7f540eba7bd91cdbb9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Actualizar.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Actualizar.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD5cdc260f652805885f102aadead923a67
SHA1b80f6f7558f38e99f019451b8e8fe524d7978181
SHA25679bf74a2292c056ac40e8d842a6f120567d0b9d9ca093eb96653f2f13c764e56
SHA5125eff89e17d761a8555bd4bd69d6f834bbcb27be130278e6ebd60065e23cd629e960214268b683cfa58dba5276ba83541f3f410dc738d96d053cb828894e55141