Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
-
Size
184KB
-
MD5
dd8b1b0b9002f34b6de1ce5795af7044
-
SHA1
21a258520bc8a5752bd301fdc30246e2d7b09cf1
-
SHA256
49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5
-
SHA512
291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28
-
SSDEEP
3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka
Malware Config
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2380 set thread context of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2732 set thread context of 2280 2732 svchost.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 2732 svchost.exe 2280 svchost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2376 2380 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 29 PID 2376 wrote to memory of 3004 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 30 PID 2376 wrote to memory of 3004 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 30 PID 2376 wrote to memory of 3004 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 30 PID 2376 wrote to memory of 3004 2376 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 30 PID 3004 wrote to memory of 2732 3004 cmd.exe 32 PID 3004 wrote to memory of 2732 3004 cmd.exe 32 PID 3004 wrote to memory of 2732 3004 cmd.exe 32 PID 3004 wrote to memory of 2732 3004 cmd.exe 32 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2732 wrote to memory of 2280 2732 svchost.exe 33 PID 2280 wrote to memory of 2444 2280 svchost.exe 34 PID 2280 wrote to memory of 2444 2280 svchost.exe 34 PID 2280 wrote to memory of 2444 2280 svchost.exe 34 PID 2280 wrote to memory of 2444 2280 svchost.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\cmd.execmd.exe /c run.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\svchost.exesvchost.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"6⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292B
MD5344f0e480669a6cfd147877470601f46
SHA164a32bcf575b29267f4d2f1f834ce9cb12640dec
SHA256258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6
SHA512cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700
-
Filesize
11B
MD5d1c56374fff0243832b8696d133b7861
SHA1f4d236fdec2fd03914189c3b26e5cb0dfea9d761
SHA2568e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6
SHA512e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452