Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
d352cd261abf750135918461d9f6b358_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d352cd261abf750135918461d9f6b358_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d352cd261abf750135918461d9f6b358_JaffaCakes118.exe
-
Size
325KB
-
MD5
d352cd261abf750135918461d9f6b358
-
SHA1
a6d94dc33cf227bd46dc484897c00a336b7b94cc
-
SHA256
2c59c1209651831a3b2d29c1eb7348b8a2ceb7acd0f07c990b6045161b7f7d8b
-
SHA512
bde41a0205fd003cab20fb139addb9582b373ba30da977fdf6850ed67f6f874592c5188116d7f1fbac42fd4f97a28de264e4f276294c8ee6e30c7c23b077ceef
-
SSDEEP
6144:jb2K6pei6FPeuUjy9Bu9Av/uW4u+AoXoQ+31bA+GWLdJxbmRZq9O:Zwj6F2fC6A8AoX7M5A+GW5bmRk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2748 eA01300MiLgO01300.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 eA01300MiLgO01300.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2476-1-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2476-3-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2748-23-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2476-36-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2748-37-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2748-51-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2476-55-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2748-60-0x0000000000400000-0x00000000004C3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eA01300MiLgO01300 = "C:\\ProgramData\\eA01300MiLgO01300\\eA01300MiLgO01300.exe" eA01300MiLgO01300.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d352cd261abf750135918461d9f6b358_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eA01300MiLgO01300.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main eA01300MiLgO01300.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 2748 eA01300MiLgO01300.exe 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe Token: SeDebugPrivilege 2748 eA01300MiLgO01300.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2748 eA01300MiLgO01300.exe 2748 eA01300MiLgO01300.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2748 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 30 PID 2476 wrote to memory of 2748 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 30 PID 2476 wrote to memory of 2748 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 30 PID 2476 wrote to memory of 2748 2476 d352cd261abf750135918461d9f6b358_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d352cd261abf750135918461d9f6b358_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d352cd261abf750135918461d9f6b358_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\ProgramData\eA01300MiLgO01300\eA01300MiLgO01300.exe"C:\ProgramData\eA01300MiLgO01300\eA01300MiLgO01300.exe" "C:\Users\Admin\AppData\Local\Temp\d352cd261abf750135918461d9f6b358_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD55b05c87b17824db35e88b308ceb54448
SHA1c4626da171c62fed55a8a3e99885d68ac3c0f97c
SHA25619887606228959ef01d8ae7f3ecfafcf8895e68076537c0c6f3373e0c4f7e9d4
SHA512ad2dc16e4774779de89012dad11f86043394e1230a0239eaf77769f250a7fa90abf9d04314e871aed460dd72c3d29cda4a5f7faa20735a352d2ba0bafc7e235b
-
Filesize
325KB
MD59b60f3ee39bcd7b08ace483ca6f27bec
SHA14714cc2296f479651efe065c10334f99a12cf8a0
SHA2566b18b04f6e4c0874f4c9faa57a8f243cb6e426835661f90576e4439bb01d3df0
SHA5120fdb8d169a8fdf847e20c91aaff6692ad74a0b6fe0873403ec660fc068d53d8be39ee7cf68537f02b6ea9ef90730084b8ffe39295c2df1dd93fc3db633ce33a5