Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe
-
Size
640KB
-
MD5
ebd5d2e9b6d427c0a1486b1e0451d163
-
SHA1
724226def939963715766f62b81e0b78d99a068d
-
SHA256
7c7e02b9796d58e2f856b67f51a5f8bdac59e26dce62b57f70f3e70c62fd8d04
-
SHA512
49158fada4a4178de25e69354cb9751599f114b03822716b82ddddd3d2e511745029acb335577b1fdfd9f7c247cae91c7c4562fd2bdd6ab185580580199c1a55
-
SSDEEP
12288:JO5hD60H3gk2KKYaFywyQVZeJVQwF3Z4mxxD/YkHtc16EEhhpVyF:Y5hD60LO/VZbwQmXD/YkHS14DLyF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2692 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2412 agenter.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\msagent\agenter.exe ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe File opened for modification C:\Windows\msagent\agenter.exe ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe File created C:\Windows\uninstal.bat ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language agenter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe Token: SeDebugPrivilege 2412 agenter.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2412 agenter.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 1984 wrote to memory of 2692 1984 ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe 32 PID 2412 wrote to memory of 2864 2412 agenter.exe 31 PID 2412 wrote to memory of 2864 2412 agenter.exe 31 PID 2412 wrote to memory of 2864 2412 agenter.exe 31 PID 2412 wrote to memory of 2864 2412 agenter.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebd5d2e9b6d427c0a1486b1e0451d163_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\msagent\agenter.exeC:\Windows\msagent\agenter.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5ebd5d2e9b6d427c0a1486b1e0451d163
SHA1724226def939963715766f62b81e0b78d99a068d
SHA2567c7e02b9796d58e2f856b67f51a5f8bdac59e26dce62b57f70f3e70c62fd8d04
SHA51249158fada4a4178de25e69354cb9751599f114b03822716b82ddddd3d2e511745029acb335577b1fdfd9f7c247cae91c7c4562fd2bdd6ab185580580199c1a55
-
Filesize
218B
MD5a2c7385e55db633d4f2b69ab4ce51385
SHA194729b88188922a108e8324e9ef6d14c838cbfcc
SHA256c4fb9c4f2fd8f50e1a26326da7b24922fc22ce41dd2601c6ccf4c8c3b714e0e6
SHA51220898ff60b9dcdeee9d3438346a5d5c49dcfba8322f5346de62195cd4190809f67ff84fa83b937c52e9c6e4fa8224f23b61d7c69dbcebc0f192d1b0f3caf0aab