Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 06:39
Static task
static1
Behavioral task
behavioral1
Sample
eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
eac6a3591dcf8489a54a18fb5fa92b8c
-
SHA1
fe57a970c24d49ae996168baf5e5497a8cd26e1a
-
SHA256
9635b597491f5d3cb1fa30bb5325a12566efb8f217a9c898bb13e9d9e3e02224
-
SHA512
0324dc0b04ab3d311f79469faa05b119bc30e3bd248c68a9620768ec6fff1f583f6de42abf80238efa2e9c9df1b63337adc255bc1f0202c5ea5355d8f14100a3
-
SSDEEP
24576:5Z/gsBHsPLAqp80VMzn9m+Y5CnkXnrmV9/+RcKFFcBgfkKkChmyzTcCeJjAKlxiB:r/g4HsNp8n9wInkw/ShhmyzQWS+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2304 WindowsUpdateApplication.exe 2280 14405.exe -
Loads dropped DLL 1 IoCs
pid Process 2380 eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14405.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2304 WindowsUpdateApplication.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2304 2380 eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2304 2380 eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2304 2380 eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe 29 PID 2380 wrote to memory of 2304 2380 eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe 29 PID 2304 wrote to memory of 2280 2304 WindowsUpdateApplication.exe 30 PID 2304 wrote to memory of 2280 2304 WindowsUpdateApplication.exe 30 PID 2304 wrote to memory of 2280 2304 WindowsUpdateApplication.exe 30 PID 2304 wrote to memory of 2280 2304 WindowsUpdateApplication.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac6a3591dcf8489a54a18fb5fa92b8c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdateApplication.exeC:\Users\Admin\AppData\Local\Temp\\WindowsUpdateApplication.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe"C:\Users\Admin\AppData\Local\Temp\iTV2HwOA\14405.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57d5e861227157521ecb0e6ae9f573043
SHA17a7b66f65ae70d49386a77eea177ddbc6a775c00
SHA2563ada214d162f2019e22c4d1f9ee613a60f9616f6e5c25bd52f0fab683da77897
SHA5127b82274a6e48a40b5e5d0377d2e115372efd187193e6de21efcf76ab7b00036bfef5c547985f452cfff0773b751cf34736d94f592636ce88b51cc22e58eabd7d
-
Filesize
1.3MB
MD5ffbfe221230b32ef116bd262301f15e6
SHA1accafd9ef0d05357a045b8bad6da0e203521e607
SHA256bdb86cd16b95fa7d991996e0a3342e4c8c87854f7f3998b89ea9a28090d06c4c
SHA51297d3d46c28c955b6599a207a5d464e3dbea6b46d5e5acaa1d89e25bfa8217641855bcd9e63669858d128157beb35353b680729fbf27e33b09209acc9dcd3e006