Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe
-
Size
258KB
-
MD5
01edae7572bd3dcad70155d3b988f63b
-
SHA1
54535c80179fad6b92ee7d1378a5865c4c3b3999
-
SHA256
3cf9356a4b252073db553cfc05544213078ba8ede54eaa45ab83637d86fdd948
-
SHA512
f7cb116243da0563f7e4e3cfa73cf6106738bf5e1d9b6a15af615ad284dc8963061889c1ae99a2b4a382e0179b88e32b435683db40559e2f490ec96cd035e0d3
-
SSDEEP
6144:d1ZIA0NUuoAzOgv19kwnG+XnRabukHQWpHpshHwipISW:d1+RNUE9kwnGqR/kwsJ5SW
Malware Config
Extracted
xloader
2.3
enmm
westcorinnewater.com
secretosdebolsa.com
carolineeyguthrie.com
fuzion.events
reatour.com
alertfirerescue.com
gd-dw.com
christian-glass.com
herbandflour.com
ttingjab.com
xn--gmq18di80c2lb.com
usabilitykitchen.com
liverpoolbeautyco.com
yyb.one
egeemlak.net
news-crunch.com
johneflix.com
lionlegalsolutions.com
doikatsuman.net
cyberlegalofficer.com
carlinjacob.com
viiokey.com
lajm365.com
behind-the-pink-door.com
33cobblestone.com
merdoryinternational.com
caraccidentslawyernearme.com
advantagewow.com
ndblife.com
kingdom-kutz.com
sportizza.com
castellhotelec.com
saintroleplay.com
urbanaffirmation-active.com
formaciondixital.com
superocr.com
equipmentmarketexchange.com
westherrcars.com
kinstabilling.com
loyallane.com
ntxfalcons.com
capexc.com
fantasticmoment.com
ambassea.com
roofs2gousa.com
abrosnm3.com
kylecandoit.com
sfdema.com
sinmobile.com
alittleforkedup.com
cordeliapiano.com
theorchardrealestate.com
vrindaarticles.com
onesave.club
fedcoach.info
swavedon.com
disordered.media
pepsngo.net
feeltel.com
idowasd.com
8zx4p2kfxx965.net
celfcentrodeformacao.com
xxq238.com
188ciervo.com
lovecarder.com
Signatures
-
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/2320-10-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2320-6-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2816 set thread context of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2344 2320 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2320 2816 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2344 2320 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2344 2320 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2344 2320 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2344 2320 01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01edae7572bd3dcad70155d3b988f63b_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 363⤵
- Program crash
PID:2344
-
-