Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 00:24
Static task
static1
Behavioral task
behavioral1
Sample
c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe
-
Size
872KB
-
MD5
c7eaa037368662cd6a645a6e0c0f7fec
-
SHA1
3b47345ec9806a48786a9d8771b4b0a1a597107b
-
SHA256
300193a94005925547c3d7b0b4e0460db6ec119082e2d4fc05558894f4ec837d
-
SHA512
a434bdebb4b7b50170e906c547bb887a112b4794ed5e686445d3ef9e3e326a67109b3ea062ac38340082113b2914b7e4c20dee93bda026fec51625f52dd1fc36
-
SSDEEP
24576:u8ETUGNW7WJmt6VuHUD2nIVijiFM/k/6l+xs1URuNQ5CLuByHehATUrohab6RK9H:cTUGNW7WJmt6VuHUD2nIVijiFM/k/6le
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2328 Ins4EDB.tmpinstall.exe -
Loads dropped DLL 4 IoCs
pid Process 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 1768 MSIEXEC.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ins4EDB.tmpinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1768 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1768 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1768 MSIEXEC.EXE 1768 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2676 wrote to memory of 2328 2676 c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe 29 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30 PID 2328 wrote to memory of 1768 2328 Ins4EDB.tmpinstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7eaa037368662cd6a645a6e0c0f7fec_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\Ins4EDB.tmpinstall.exe"C:\Users\Admin\AppData\Local\Temp\Ins4EDB.tmpinstall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "http://dlf.pafke.eu/client/pkgs/springbok2/Springbok Casino20191018030325.msi" DDC_DID=3372131 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=3372131%26CASINONAME=springbok2 DDC_UPDATESTATUSURL=http://190.4.88.169:8080/springbok/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.88.169:8080/springbok/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=referrer CUSTOMVALUE02=Direct%20Traffic SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Ins4EDB.tmpinstall.exe"3⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ab12ed683e2123972b2367f7bcc9e1d1
SHA139f5295e814b04e0c73e48c1a3cdb7ada955b69a
SHA25658358cba02428bddb6a0b7517a96abe2ba30a8edf59b8289beb3f3defcc63bb8
SHA51286ea2240b06df985c5428a8c8227c264867edec8a4be5eb818b23ed35ad07b8143edd302c285fce77eeaa884348ca0c98336822fc4c6fdfd3464955e8dde097f
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
5KB
MD5b880af62de4fbdcf49f0071092133ecc
SHA1f229a3388ff2a34b0723bf1532b430ad9cda2a61
SHA25637f07ffba5ec4cf3b0c9cc18add087493d281f2f86f801fed6f5d39ab889b65c
SHA512460685297136af65bed406ef199f30eed457062bf985b3c9b85d214f755f94beb5240bd592616589c31dea7d901b4299c8f40a6896cbe9d425d3890d1e98e267
-
Filesize
1.2MB
MD5d18274436790f5b080b06213bd518772
SHA171d63e4fc0d685168888f98937fb8377f65946cb
SHA256d4699b6d2aa6dfd33319afdb1fdc2f72776ab432acacf8f6d35f59e22c416e54
SHA51299e1624aec19b41b62214f675d7b317510de364bc7d643ce55fbde7e7f54524ee17434823a1e66584f34bf5884a7eb21e5c72854ed9304884687594ecda15f9c