Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30/08/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe
-
Size
556KB
-
MD5
cbd453d3cca0a21f19e5d2f1b2f2cdd5
-
SHA1
b5b2d7139500f1a45c9e85e7a278d59ab0e6dac4
-
SHA256
0bec16111e2199d4f62882cd59c2e3868b5c7539e64f5f3fb16dde94e2b4292e
-
SHA512
7ede9637c2fdb3640bdd2fb7bc81e7ba96b85dd6154ba68e4ff45469d9597bcca9ff76765ef16f28782d5ee50168a9323082a3d05b5fcb1ece4fe21e4f0eb66e
-
SSDEEP
6144:D3zSXlx+8X8zqLoDpNAZF6HdygYEuH0u4N51cz/XtD/yld9K753:jWXTZsuMDpKT68gYEuUp50try1K7F
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2772 Remc.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 cmd.exe 2400 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\"" cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\"" Remc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2772 set thread context of 2636 2772 Remc.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 2772 Remc.exe 2772 Remc.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 2772 Remc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1756 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 30 PID 1992 wrote to memory of 1756 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 30 PID 1992 wrote to memory of 1756 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 30 PID 1992 wrote to memory of 1756 1992 cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe 30 PID 1756 wrote to memory of 2400 1756 WScript.exe 31 PID 1756 wrote to memory of 2400 1756 WScript.exe 31 PID 1756 wrote to memory of 2400 1756 WScript.exe 31 PID 1756 wrote to memory of 2400 1756 WScript.exe 31 PID 2400 wrote to memory of 2772 2400 cmd.exe 33 PID 2400 wrote to memory of 2772 2400 cmd.exe 33 PID 2400 wrote to memory of 2772 2400 cmd.exe 33 PID 2400 wrote to memory of 2772 2400 cmd.exe 33 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34 PID 2772 wrote to memory of 2636 2772 Remc.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cbd453d3cca0a21f19e5d2f1b2f2cdd5_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Roaming\Remc\Remc.exeC:\Users\Admin\AppData\Roaming\Remc\Remc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵PID:2636
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410B
MD5837b54af2c8d285fb69d719cc9061206
SHA1b31b75216a46b744eb0d89dd9885431a8ecde820
SHA256353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46
SHA5126cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311
-
Filesize
79B
MD5a427676487385e01f1efd56248f90193
SHA1fd523df33f9e29e1d7fd58ee29b4e88498f2107e
SHA2560bb1f75a2d6ce9c9933ce552eeb28fa2d7902e42ab0f8a7fff7ed507daade805
SHA5124c8275e604cf78d90f4065203e3abf823b7773d291eb5a9b10417ba9a9e4b7e55e6c5b03199eb51958565afcafe067a489bc71f8623d818da7c15ecabdfa351f
-
Filesize
556KB
MD5cbd453d3cca0a21f19e5d2f1b2f2cdd5
SHA1b5b2d7139500f1a45c9e85e7a278d59ab0e6dac4
SHA2560bec16111e2199d4f62882cd59c2e3868b5c7539e64f5f3fb16dde94e2b4292e
SHA5127ede9637c2fdb3640bdd2fb7bc81e7ba96b85dd6154ba68e4ff45469d9597bcca9ff76765ef16f28782d5ee50168a9323082a3d05b5fcb1ece4fe21e4f0eb66e