Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe
-
Size
92KB
-
MD5
db08d6af3b89a77e80d1690ceaa7599b
-
SHA1
c854185401fc590187ac3b55435bbd70aac98b45
-
SHA256
c0ecee0a7523c4cad8f4c0c18201579696851cc2e51a463fe5ddcb47152da804
-
SHA512
86ef9e29e3cdade48253b3c2f458b2bead55a5ce31acb9cd58586234d9af1ced67f12f69b9602e2f4558b6497db55a6dfa6afed07fa0fab1c73252d99031f452
-
SSDEEP
1536:W7FDGo4K9Ty+ihfQxtQg1nhFc9pJpk+tCwmg+Q6buWkJ2/tnJs1vk1PsG4evCuJP:yDGACQxjJGJpTP65vFJOEvCaP
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2896 BCSSync.exe 3028 BCSSync.exe -
Loads dropped DLL 3 IoCs
pid Process 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 2896 BCSSync.exe -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 Destination IP 83.133.119.139 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2952 set thread context of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2896 set thread context of 3028 2896 BCSSync.exe 31 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BCSSync .exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2952 wrote to memory of 2768 2952 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 29 PID 2768 wrote to memory of 2896 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2896 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2896 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2896 2768 db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe 30 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 2896 wrote to memory of 3028 2896 BCSSync.exe 31 PID 3028 wrote to memory of 2348 3028 BCSSync.exe 32 PID 3028 wrote to memory of 2348 3028 BCSSync.exe 32 PID 3028 wrote to memory of 2348 3028 BCSSync.exe 32 PID 3028 wrote to memory of 2348 3028 BCSSync.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync .exe" "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" DEL:C:\Users\Admin\AppData\Local\Temp\db08d6af3b89a77e80d1690ceaa7599b_JaffaCakes118.exe5⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD553f29ea9fb489879c039506702ea0ff9
SHA16432fefde6d88fc7a7e953bd52dcfa5b09612be2
SHA256eee83d127f9b34539f1f1bc587e37910748161970b9793ee6bb1ba9e2976d129
SHA512fdd2c865c3102fdd4dc415f0f0e5ef1912558d37bcbd7c17671ee6d30a8dd136e1eff8ba49092f3d8c7d91a7fb391413ab08896499c123c872ff15a3abc82cb6