Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe
-
Size
529KB
-
MD5
ef121dbf59f5486348c3398f4f84cbd1
-
SHA1
a9caeb05b4c0d8df6ded2972db08407c27b7b9cb
-
SHA256
2d3960b135fd2036f5f21705148f94e5defac00241c90e5569787bf59bec80f1
-
SHA512
85ba3745c1f928827b9f7333c541843e25b43431856270eb7403a3a893c24f331512a123b132121a75cdee3279aaaf8299fea341f8e0b5f2786e8c356b9463e9
-
SSDEEP
12288:9fCCGiEGLUSA0fyPe97Dr7vuU14KuzJxv0:9fIGLUSA0mG/B14Ku/v
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2652 pE01803ImFpA01803.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 pE01803ImFpA01803.exe -
Loads dropped DLL 2 IoCs
pid Process 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2480-2-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2480-20-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2480-19-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2652-23-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2652-32-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2652-42-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2652-55-0x0000000000400000-0x00000000004D9000-memory.dmp upx behavioral1/memory/2652-56-0x0000000000400000-0x00000000004D9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pE01803ImFpA01803 = "C:\\ProgramData\\pE01803ImFpA01803\\pE01803ImFpA01803.exe" pE01803ImFpA01803.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pE01803ImFpA01803.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main pE01803ImFpA01803.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe Token: SeDebugPrivilege 2652 pE01803ImFpA01803.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 pE01803ImFpA01803.exe 2652 pE01803ImFpA01803.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2652 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2652 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2652 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 30 PID 2480 wrote to memory of 2652 2480 ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\ProgramData\pE01803ImFpA01803\pE01803ImFpA01803.exe"C:\ProgramData\pE01803ImFpA01803\pE01803ImFpA01803.exe" "C:\Users\Admin\AppData\Local\Temp\ef121dbf59f5486348c3398f4f84cbd1_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD59808a76c3e5f470be6c994521252d76d
SHA184be336ab794ae373627e773f5d18bdf067aaa43
SHA256388b04e757dc5198f1e70662580c1f1519325b71a3fae544b7fd2f20472beee4
SHA51285c8a48152988b7ddb05e3c264bedd10ab23974656e343ca128fbe432992bc666efd4a292ee4e90ec1e773ffe546b5d124a18cef6e561ce3ce6d8cc4ed3c10e8
-
Filesize
529KB
MD515777eb5b65b39e2578f25279998fa44
SHA16dfc398657a3b6694e112f2fee44724cee37ee01
SHA2563aaec709243f56553f6816dbed2eae23f3f7b1a300626c90adee06a023dda88a
SHA51218744bd1d8d4f27ddaea0315272496be403ab48da180d21564f81c8557c85b0be42e795bc9282e212b3fb94f8e85c3789de4d05d4a302eac7ab2781f275c47be