Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe
-
Size
81KB
-
MD5
dc4904ce3da34099518ae454667082a3
-
SHA1
9c6fd3782571002571e570cc6d63c22277b4c9dd
-
SHA256
f240c1a0c824adf9d26b1734d00609f9718c8794222e82f1f280276425abec91
-
SHA512
59012dc7d6f3f37e14eb18102f445de65e54e61213fdb87e296f672c919923886d3fc1803b5225a78b8a5d978f6c768e3b86b53c08243ebb34dc9a466c8a8409
-
SSDEEP
1536:VIqOQF0+cdsd+Vwu3IhgD5UAOqEILamxPb/4QXmycURay023z:kP+cdsMVwu3IO5mqECz4QXmycufR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2728 pzpE85C.tmp -
Loads dropped DLL 6 IoCs
pid Process 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2828 2728 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pzpE85C.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp 2728 pzpE85C.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2728 pzpE85C.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2728 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2728 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2728 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 31 PID 2980 wrote to memory of 2728 2980 dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe 31 PID 2728 wrote to memory of 1856 2728 pzpE85C.tmp 32 PID 2728 wrote to memory of 1856 2728 pzpE85C.tmp 32 PID 2728 wrote to memory of 1856 2728 pzpE85C.tmp 32 PID 2728 wrote to memory of 1856 2728 pzpE85C.tmp 32 PID 2728 wrote to memory of 2828 2728 pzpE85C.tmp 33 PID 2728 wrote to memory of 2828 2728 pzpE85C.tmp 33 PID 2728 wrote to memory of 2828 2728 pzpE85C.tmp 33 PID 2728 wrote to memory of 2828 2728 pzpE85C.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc4904ce3da34099518ae454667082a3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\pzpE85C.tmp"C:\Users\Admin\AppData\Local\Temp\pzpE85C.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Notepad.exeNotepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 3043⤵
- Loads dropped DLL
- Program crash
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD512cd3c515d962f472144e9da0c371a10
SHA135d235040485a24db8b119b865671e6b1c90c35a
SHA256c563704a505d22b5e57d58db657bcd02f8edd30cdfbf6c8a2bc6f78f07426705
SHA5121d3311ec9e3c4ede50667a785d5272a2057cb2df59c9f40288f2c18c92961be95ffe7585cdc0ef6a640248a922b5e4a9f4616a1213779c630b2acd4153ad6491