Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f5c0180c8ebf2d236bd39d142b592c48
-
SHA1
d41fba8c0cd414e1104bceb4556287eff9c5104e
-
SHA256
bb266b9b427984f57392b6c531c800888e3c4a3c703a407b5e31d2db9a8623d5
-
SHA512
7a2295059270969a15e8e78c0de43852b7e71da9de0c4b5e9283abbfc3d8636b2ce1001f4e24baf7393502b3dd039133433012d541eda333e814acef11dff593
-
SSDEEP
24576:PsYgCqdtqjeiqkMb/jUMQh+yFmgkS52RWALmce/TkfMaswtkNMB6dw:PNYdtORMbQMS3ogkS52RWAqcy4fMaswd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 nbinderpro_setup.exe -
Loads dropped DLL 6 IoCs
pid Process 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 2108 nbinderpro_setup.exe 2108 nbinderpro_setup.exe 2108 nbinderpro_setup.exe 2108 nbinderpro_setup.exe 2108 nbinderpro_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbinderpro_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0008000000016ae9-4.dat nsis_installer_1 behavioral1/files/0x0008000000016ae9-4.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2108 nbinderpro_setup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2108 2604 f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe"C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737B
MD5fca0661568e5cfcfde275e0f843ac618
SHA115c71f285d5798001cfe6d686bb4b2303aba8d5f
SHA256114bf4647ebd77c923ffedf3d3646e94befa5e31f29d0a3518cc2f5b3ea726f3
SHA5120b744873ea59bb3b76311bbc80f8c2eeb69e31b9ddfeb7f1632c25c8035776c478f2866636efbae3857ad8ffc4453692ca60bd917c6148bd1ca2121d55e5bdd7
-
Filesize
600KB
MD5b97bf60a6d0cd066253d7fb12f43a09b
SHA1529d4d3432d361db36b743952ace87f00db445f1
SHA256c0e585128931bfd43d52c718fe7886c066c8bb992453e3919c348b36ccbe43fc
SHA51275933cc38b7e23a8d2556363be1e1a96edb093f4ccbde235856f1602d3eb576cc74d1ea8d9c73a095fb1d6fa711d610230c4f87a8fe3170fa960adaf84fb468b
-
Filesize
14KB
MD53809b1424d53ccb427c88cabab8b5f94
SHA1bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e
SHA256426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088
SHA512626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee
-
Filesize
5KB
MD58c909780802ac2097ea4132e6375acd2
SHA1b35fbda0725d7c66281d5c340b53eb5d54922583
SHA256c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f
SHA512e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08