Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe
-
Size
136KB
-
MD5
d55651cde1b25d4f1abaf9d456477eb9
-
SHA1
e8acde597aaeec505b868de2881dca5451e2716c
-
SHA256
fc1798ed2df8053ccd28988ccb63d8d104a280bd55c51882bc8a9e7cadd3b3be
-
SHA512
e25880387ccbbebea0f366b01fd230be0c7c179913cd82231234378b576e5006336751506cecdd97742015a8f971322c7bcb777f7b5295d969cbdbc996b853c5
-
SSDEEP
3072:X1cKtGG95k4NsFUUpYqMwmB3k60ng7nKa4fjAaKGiH:X1cW9yfFUUpY6msgrnaKv
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2728 set thread context of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 2716 2820 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2728 wrote to memory of 2820 2728 d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2716 2820 svchost.exe 31 PID 2820 wrote to memory of 2716 2820 svchost.exe 31 PID 2820 wrote to memory of 2716 2820 svchost.exe 31 PID 2820 wrote to memory of 2716 2820 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d55651cde1b25d4f1abaf9d456477eb9_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1563⤵
- Program crash
PID:2716
-
-