Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe
-
Size
351KB
-
MD5
f6c20990f3634ca6bb129f1838934752
-
SHA1
7a2dc769b5aecd6ea98dfc1814a633d23e8a0450
-
SHA256
9f204f2742254624026ae6fb7f416f1780d76ff2850c87de089a287c648ab3d5
-
SHA512
8c305ebf8aa9109c05de73f11ec2fdc6f23833feb0f0bb50c6509b78b0b3a3062ed8b0687bdb59734bbd42c279b0dc347467a4f6f16de6eb8e8e9d501161367e
-
SSDEEP
6144:Z3c4cg0RO2MjR63xbvpjEB14sVo5d53XJJYAW1MISGSFcov:ZiBTMo3xbvpoa5T35JjWrSGecQ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2476 Sxu9BxujZhXvD9H.exe -
Executes dropped EXE 2 IoCs
pid Process 2724 Sxu9BxujZhXvD9H.exe 2476 Sxu9BxujZhXvD9H.exe -
Loads dropped DLL 5 IoCs
pid Process 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 2724 Sxu9BxujZhXvD9H.exe 2476 Sxu9BxujZhXvD9H.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\qUdwInZTmqzt = "C:\\ProgramData\\kdf5FJqKL\\Sxu9BxujZhXvD9H.exe" f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2656 set thread context of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2724 set thread context of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2476 set thread context of 2580 2476 Sxu9BxujZhXvD9H.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sxu9BxujZhXvD9H.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sxu9BxujZhXvD9H.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2128 2656 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2724 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2724 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2724 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2724 2128 f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe 31 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2724 wrote to memory of 2476 2724 Sxu9BxujZhXvD9H.exe 32 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33 PID 2476 wrote to memory of 2580 2476 Sxu9BxujZhXvD9H.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6c20990f3634ca6bb129f1838934752_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\ProgramData\kdf5FJqKL\Sxu9BxujZhXvD9H.exe"C:\ProgramData\kdf5FJqKL\Sxu9BxujZhXvD9H.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\ProgramData\kdf5FJqKL\Sxu9BxujZhXvD9H.exe"C:\ProgramData\kdf5FJqKL\Sxu9BxujZhXvD9H.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe" /i:24765⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
351KB
MD5f6c20990f3634ca6bb129f1838934752
SHA17a2dc769b5aecd6ea98dfc1814a633d23e8a0450
SHA2569f204f2742254624026ae6fb7f416f1780d76ff2850c87de089a287c648ab3d5
SHA5128c305ebf8aa9109c05de73f11ec2fdc6f23833feb0f0bb50c6509b78b0b3a3062ed8b0687bdb59734bbd42c279b0dc347467a4f6f16de6eb8e8e9d501161367e