Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 13:04
Static task
static1
Behavioral task
behavioral1
Sample
05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe
-
Size
329KB
-
MD5
05ec50d5b797ebadc39b80f1ba5b5c30
-
SHA1
15017bc249b7ce9757c5629272d3c1548c290777
-
SHA256
ea0c5fe5eb6f6c850a9f8364c5f9cb174c93ba9b3ee446d36a99a2a3ea1fff02
-
SHA512
95f280e3267daad1cbab64eef4cb556326bb32865dc06f8bed69461d5e4b35e1bf96ae440779fbb8e668befe9014fba591de3d832230b4ded89a08e5b43920f3
-
SSDEEP
6144:siMF/X479SEAanPSIv0FB5iSbGqJQjdSHV:sI79SE1lMFmS+dYV
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2076 cpfmqte.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\cpfmqte.exe 05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe File created C:\PROGRA~3\Mozilla\zbgopeh.dll cpfmqte.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpfmqte.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2552 05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe 2076 cpfmqte.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2076 2100 taskeng.exe 31 PID 2100 wrote to memory of 2076 2100 taskeng.exe 31 PID 2100 wrote to memory of 2076 2100 taskeng.exe 31 PID 2100 wrote to memory of 2076 2100 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05ec50d5b797ebadc39b80f1ba5b5c30_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2552
-
C:\Windows\system32\taskeng.exetaskeng.exe {F978D05D-E611-47BA-A6FB-9F5591BB3BDB} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\PROGRA~3\Mozilla\cpfmqte.exeC:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
329KB
MD5893b3925d079dd325e1bd8b2797dc3cb
SHA18317a3b505a5b282588228a99e7ecc4eaa664b7e
SHA2563b672cd245b960be8a641a15baad3c2c2b4aa444b91d3518485d0dfded0a0e9c
SHA512e1bd49701bd5940342869be5c1a715a52a8429b110ad2aa5c1eb3f894a661e1afd02497314e90d6d53c583b3ce63e6720a83a4b292b00db17638b52c81582a02