Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
eac050822db1aa99525c558710a10890_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eac050822db1aa99525c558710a10890_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eac050822db1aa99525c558710a10890_JaffaCakes118.exe
-
Size
292KB
-
MD5
eac050822db1aa99525c558710a10890
-
SHA1
f6acbf828316d9715e2f1d6326107bef3608c3da
-
SHA256
835315b4c0b0f6f2086e1304167bc6d60ef05312bd2ac41591ab58baeaa6e5eb
-
SHA512
16f7f93a38fe49e46dea4113502c8378a15f6dc03a58d3036f110e681be6f3a27e2e409e9c28488c93ee20fe22ec8128f5d3f98ed8956e1b93c57218a18ca59e
-
SSDEEP
6144:/bXE9OiTGfhEClq9lPAav5NR1vopNPagyaSl/I6tV/:jU9XiuiOBV0hSxL
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 i144.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ololo\test5.bat eac050822db1aa99525c558710a10890_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ololo\p.txt eac050822db1aa99525c558710a10890_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ololo\3t.jpg DllHost.exe File opened for modification C:\Program Files (x86)\ololo\3t.jpg eac050822db1aa99525c558710a10890_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ololo\i144.exe eac050822db1aa99525c558710a10890_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac050822db1aa99525c558710a10890_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2928 regedit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2064 DllHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2824 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2824 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2824 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2824 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2764 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2764 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2764 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2764 2536 eac050822db1aa99525c558710a10890_JaffaCakes118.exe 33 PID 2824 wrote to memory of 2928 2824 cmd.exe 35 PID 2824 wrote to memory of 2928 2824 cmd.exe 35 PID 2824 wrote to memory of 2928 2824 cmd.exe 35 PID 2824 wrote to memory of 2928 2824 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac050822db1aa99525c558710a10890_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\ololo\test5.bat" "2⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\regedit.exeregedit -s snapshot.reg3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2928
-
-
-
C:\Program Files (x86)\ololo\i144.exe"C:\Program Files (x86)\ololo\i144.exe"2⤵
- Executes dropped EXE
PID:2764
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD58a2afe805d180f87121533fa07e7fa93
SHA195c9f46aab77859ec575aa1aea22c9c5be7278ae
SHA256aaadbbd06877a7f67129bcbd6f7d1e71f93690a541d5b291cd2e0bcb8b45f048
SHA512ee47100de3bcf43e74d8c54d511d63a8195b2e2bf46e8f27e6bc9f6af6753f753e594f77baaedec5f79289d003b6794be7ddd7e6fe019fd9045fc6b1952a0c73
-
Filesize
4B
MD52f2c42d6bed9cbfed344c08ddd28a554
SHA1c2e366cb09097d46de6695665b647aec6e00437e
SHA25663512f53cc19a54417c287b6dd08939ae77a9301034614782e28ce9e924a9769
SHA5124445d27f501773944239f72f4f5907b1e7c28e3c4a8324d645f739bbb06ba730269eb60dd5540743343146f926711d169a018ca6204e8736ebe7739757338fe3
-
Filesize
34KB
MD54198fbd64294b2f0f5b7770715caeb5d
SHA192d7584a042c9a59bdd43aee593250a803c0e6db
SHA2569b12133b28204540cef563d0e8cf20a6a8ebb2e3d91991584ecca2616fc71598
SHA512693791bdc12c3542cd726c4edeb6330f12e4ba1a7eac7f8980d5e356df4de00561a17fd8dd7dfe75879a54723941f6c3e2cfb7325f3661046fb912d7851b3174
-
Filesize
149KB
MD5a6c35a1d588ba6e856203f63f4bf957f
SHA1ad68bc2bcde52b0b06ad27dc8fe91608b715d8f2
SHA2566aca9bae324d234fb3f9a293035c0a7f9f357553068fd5333662205228f724bf
SHA512881788889c1b000a897cd5b7e890c434e5b423244abff9d3c5a7cd2a9f9205d6f0814ca408563e413214cbf9bddd978024daea86a29255609f3b74e16db25623