Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d10f3e52e0170d2ba634bdcfa9ecb43e
-
SHA1
41f0d67afed5c0838ef0adb047c34875ec80c5b0
-
SHA256
6f2642da0cee6e4ed6866607761f92effdcf21171a0540abbe519732eaffdcf7
-
SHA512
bcd18abc261ea0382656610ba42085bf184c5faf8772cf7bee9b279185eec9bb1a0a52509ff0c1cd3b9279a1cdca329dba41649d9d262f032f1ec14132731228
-
SSDEEP
24576:6ArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdPYfCG6bYVxXNVD8pVv:6e0mfW3YNPRRlG4saIprQNy
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2528 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2528 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2528 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2528 2384 d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d10f3e52e0170d2ba634bdcfa9ecb43e_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD52004bcee923b0e0222f4cab87c2c2a3d
SHA10a3c122b7cfe403403d913ecc1b328480b1bfc2a
SHA256f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77
SHA512cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445
-
Filesize
735B
MD5dfc39720c6d2282ad814c004b4cdcb85
SHA1d81c560d04a36de63fa6d566ddfe9a042d08a797
SHA2562e34b83975addac887b96e6d69132002c88aaf23d8fd869c058cebfffd02acbb
SHA512e7219908afe15e1f5edabdc2a0f0439c986fe48e887f139634f61ceedf09eac1202ec1225e06c2d485e8cc31930358a8c71b907c5b3aba6ec4ec9290e610948a
-
Filesize
1.1MB
MD50cbcb57abcb13d1874843f47f1360aba
SHA12bac6b51837b2cce8220e4fa4aff0f09f3815bf2
SHA25682096109d62fecec5704f82029d704f5b870f88201d21e4ca12c5622a26657d9
SHA512d42ddce4d4429fd4f9a64434872af87da91153db1780b9d10d78ebc7544db62c49d2f874bdd86b15520e0d20cdd9f646abfdbfa960281a9c488fb624175081ef