Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 05:21
Static task
static1
Behavioral task
behavioral1
Sample
c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe
-
Size
24KB
-
MD5
c848d232b608b58efebcf58d043e747b
-
SHA1
26e36b4ff354eaac8b2f52aaf9521fb85bfd36b9
-
SHA256
862b0eb5a300bbbafb177d3ec6290420652ce40e436d69eace1fdb24d3eee8c9
-
SHA512
4b709c05a03236b584e342754517dddd9a00134d2dbcd94ba1d95a81dc3be3cf9ae68b3a724110b9da0d696363bfae39e531a240fb5ab5826b712e62d4ae04f4
-
SSDEEP
384:E3eVES+/xwGkRKJ031lM61qmTTMVF9/q530:bGS+ZfbJ0FO8qYoAk
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2220 tasklist.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2556 ipconfig.exe 2880 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2220 tasklist.exe Token: SeDebugPrivilege 2880 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2968 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2968 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2968 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe 29 PID 1052 wrote to memory of 2968 1052 c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe 29 PID 2968 wrote to memory of 2196 2968 cmd.exe 31 PID 2968 wrote to memory of 2196 2968 cmd.exe 31 PID 2968 wrote to memory of 2196 2968 cmd.exe 31 PID 2968 wrote to memory of 2196 2968 cmd.exe 31 PID 2968 wrote to memory of 2556 2968 cmd.exe 32 PID 2968 wrote to memory of 2556 2968 cmd.exe 32 PID 2968 wrote to memory of 2556 2968 cmd.exe 32 PID 2968 wrote to memory of 2556 2968 cmd.exe 32 PID 2968 wrote to memory of 2220 2968 cmd.exe 33 PID 2968 wrote to memory of 2220 2968 cmd.exe 33 PID 2968 wrote to memory of 2220 2968 cmd.exe 33 PID 2968 wrote to memory of 2220 2968 cmd.exe 33 PID 2968 wrote to memory of 2780 2968 cmd.exe 35 PID 2968 wrote to memory of 2780 2968 cmd.exe 35 PID 2968 wrote to memory of 2780 2968 cmd.exe 35 PID 2968 wrote to memory of 2780 2968 cmd.exe 35 PID 2780 wrote to memory of 2860 2780 net.exe 36 PID 2780 wrote to memory of 2860 2780 net.exe 36 PID 2780 wrote to memory of 2860 2780 net.exe 36 PID 2780 wrote to memory of 2860 2780 net.exe 36 PID 2968 wrote to memory of 2880 2968 cmd.exe 37 PID 2968 wrote to memory of 2880 2968 cmd.exe 37 PID 2968 wrote to memory of 2880 2968 cmd.exe 37 PID 2968 wrote to memory of 2880 2968 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c848d232b608b58efebcf58d043e747b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2556
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50fe9d1c3e0b6df3905577fbbc968e74e
SHA1f851af7c3ae4bdb36597f7b0c5d80732baf9e97d
SHA256414e61e015c687bd2bea2aa71be573f624a1768693328e3703f03fd8f3867d57
SHA512d4a57330c6e5bfdf5ebe044f44d04c3da2f225d50eb2146cdf1fd142fb70335f06cad5bdcdf39ba783a635ca82f2366cc3ccff094d4221c07309c7adf0927963