Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe
-
Size
84KB
-
MD5
d3b0f9c772ed6fb54bfcef61f80ddd2d
-
SHA1
d70fcf763210fa261347f4e658453a4964128682
-
SHA256
d1fe4471362a04cfffc3ac277535d5d139d48e7f2be0b5e8cb8def758882fac2
-
SHA512
a94e925d8c58ca97d191641e69a232caebf93ac0ce5c89f27731dfeec0da07b022fe2b507c05c80a906290b584f86c3de7c64a782374cd49720077bcb1e92526
-
SSDEEP
768:n8mK3Qnw0ZR4+i30xReKIrTgXPA/nL7hymF7frdVlq7BTIsPjBmjHHsvWgU5Q:8N3QQ+i303eKfI/X4mF87esrBmjnsuVQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.TMP rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.TMP\ = "TMP_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\TMP_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2896 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2840 d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe 2896 AcroRd32.exe 2896 AcroRd32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1944 2840 d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe 29 PID 2840 wrote to memory of 1944 2840 d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe 29 PID 2840 wrote to memory of 1944 2840 d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe 29 PID 2840 wrote to memory of 1944 2840 d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe 29 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 1944 wrote to memory of 2776 1944 cmd.exe 31 PID 2776 wrote to memory of 2896 2776 rundll32.exe 32 PID 2776 wrote to memory of 2896 2776 rundll32.exe 32 PID 2776 wrote to memory of 2896 2776 rundll32.exe 32 PID 2776 wrote to memory of 2896 2776 rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3b0f9c772ed6fb54bfcef61f80ddd2d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TMP9660.TMP"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173B
MD556c03b65d5a97bbc114772172de36849
SHA184f3598b8d20518dca847b0d2d324131c9b77749
SHA256078dce039e69e9b9418db6e23279445a4e7f7754044fa998e6b20cf549f92b92
SHA51207f9e8df4a677132984507bbf4cca5c202dbd56385e4979d4c7cbf95065e245e2435e93409f0ef2d34e9906b6f05966b662ff2469282eb3c83ae88320c30e1ad
-
Filesize
3KB
MD509cff09f624bbd76510789ebb03f5c8c
SHA1fe8d366dcc31340142c81de80fb9c801e3e5059f
SHA2560471196b6e84999a8679c72e76b487cc7938529dd315713dd4ad05c86ab49214
SHA51204b79537c8df4a82942ad6802cd6017346bc711b8e8a08ef6d1bebfb6972497d2dedec1cda96ca5b2f6a82df814566cd2acbe179fd46a52f2f5dabfeda817ab7