Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 11:48
Static task
static1
Behavioral task
behavioral1
Sample
da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe
-
Size
152KB
-
MD5
da48b0ba28e4af65809f74196268f76e
-
SHA1
b13b1714c3658a29d504f2cef68db56a229db83e
-
SHA256
0e8aebca7070d9ba9c3d305682cb0dd496d23d06ff2e8fba4cb1c9400bb7d567
-
SHA512
76ce040443dbb469924d8bb823eecdfcecd27de705b55dee78caa170f56e0fd8a84d5d9ba29c7056d62bfacf6da5684c3200016684c766f6f478756e1f8242cd
-
SSDEEP
3072:9hQGtLpoVwL6GyHSqREdFgxm2FCM5i0ikSsi9GbYuY:ZJE66GBqREfL8bb9Ssik8
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2808 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2268 inetsrv.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\inetsrv.exe da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\inetsrv.dll inetsrv.exe File created C:\Windows\SysWOW64\inetsrv.dll da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe File created C:\Windows\SysWOW64\inetsrv.exe da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inetsrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2268 inetsrv.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2268 wrote to memory of 488 2268 inetsrv.exe 7 PID 2984 wrote to memory of 2808 2984 da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe 31 PID 2984 wrote to memory of 2808 2984 da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe 31 PID 2984 wrote to memory of 2808 2984 da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe 31 PID 2984 wrote to memory of 2808 2984 da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe 31
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da48b0ba28e4af65809f74196268f76e_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmp.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\inetsrv.exeC:\Windows\SysWOW64\inetsrv.exe -service1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172B
MD5c7a3506394b96944fb8df3164604b4ab
SHA16339b73434e1c22847f52a8d1ad8e8749739df48
SHA2564cdd57e45db91f2b1e79394ce89913398e5e8ab666a9529e809bdfe0dffc60d6
SHA512b543939a2c9f61720b30b372372728dd0cf4a6de528742304b550b38fbca8ae6952e845e44ca4ec85143ee5f6573ac26bac9298d3c5ba24ab72a8d596f7e7422
-
Filesize
103KB
MD5157af8909d5d4d84fb1ed614552fd13d
SHA17ee754bfd867511995a81b602ce578b8206030e1
SHA256efad3d7a61b6e017e08bc5afb99e7574bce554f5ce8c16c951f10ec5978b8d09
SHA512db266355bdaf65ce61f57e9c04a10deae9ade6aa3d6a459cbf5aef235d0424e1bf4a5eecc0151a30b9ade44c1c4af223553d4ee592ee7abf6a928f440f36fd02
-
Filesize
152KB
MD5da48b0ba28e4af65809f74196268f76e
SHA1b13b1714c3658a29d504f2cef68db56a229db83e
SHA2560e8aebca7070d9ba9c3d305682cb0dd496d23d06ff2e8fba4cb1c9400bb7d567
SHA51276ce040443dbb469924d8bb823eecdfcecd27de705b55dee78caa170f56e0fd8a84d5d9ba29c7056d62bfacf6da5684c3200016684c766f6f478756e1f8242cd