Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28/08/2024, 23:17
Static task
static1
Behavioral task
behavioral1
Sample
c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe
-
Size
7.5MB
-
MD5
c7d3fae26ae7c53f78f285b1b2695e60
-
SHA1
a25a044cfe217629690f39d192a97fec94ae347a
-
SHA256
c359491dff64ae8fa7a05345834b1f168021de68c7ab582066281f37424fda63
-
SHA512
80ff7ee43da2d9809ca34916039283cc4cca711c646f26ba5ef3b263b18b2d6e25df2148a254c4580277936e3cb86db6b874878edf1cb5b72c5b97867028ca85
-
SSDEEP
768:LyNovA586VA/H/pAcbVugAFBbadjHO+yav9Hps61Ja:L7t5ZbVug2Fada+y0BpbDa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2660 ICWCONN1.EXE -
Loads dropped DLL 5 IoCs
pid Process 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2764 2660 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICWCONN1.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2660 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2660 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2660 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 30 PID 2976 wrote to memory of 2660 2976 c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2764 2660 ICWCONN1.EXE 31 PID 2660 wrote to memory of 2764 2660 ICWCONN1.EXE 31 PID 2660 wrote to memory of 2764 2660 ICWCONN1.EXE 31 PID 2660 wrote to memory of 2764 2660 ICWCONN1.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7d3fae26ae7c53f78f285b1b2695e60_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE"C:\PROGRAM FILES\ONLINE SERVICES\ICWCONN1.EXE" C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\C7D3FAE26AE7C53F78F285B1B2695E60_JAFFACAKES118.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1443⤵
- Loads dropped DLL
- Program crash
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.9MB
MD57caf9511f9cd524189698daa253bf861
SHA153979c165a379aba2448df58b4d1830ed592b4f5
SHA25686c5459cddcd0ef9318c408af9c81bef3a4995c993a48618dfddc1e208b63fed
SHA512a1c7437b6fa53046c293770b133e6e1e7d48b125cd33012ea2970cf740a8649194fe96bb83a74b9664c292d207f0b8a04769491d830d521d91e4c632af140f17