Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe
-
Size
544KB
-
MD5
066379a9af88d64098e3bd8a389e4435
-
SHA1
083dbf6eb2ebad53656121807241712dea3a7e00
-
SHA256
4ca5954a9ef7895b7b14e8c9cc43e71e1ee746f2acec0d2646cd9875b1c2bba8
-
SHA512
85d460e1175eb4b4b8d14989014651d2476b865bfe5eb3a2badbc511383fcf7eca8816c0d193cbb37be40883e0b141d3329c7a7d9001a354bd385a59d9516580
-
SSDEEP
12288:FytbV3kSoXaLnToslHWJpuuR9DCSn9UNejsfkfymqXGZj1Az5sD0:Eb5kSYaLTVlH8ptlCSn9LjsfUyd2ZjSf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2684 cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2684 cmd.exe 2844 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2844 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2684 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2684 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe 30 PID 1620 wrote to memory of 2684 1620 066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe 30 PID 2684 wrote to memory of 2844 2684 cmd.exe 32 PID 2684 wrote to memory of 2844 2684 cmd.exe 32 PID 2684 wrote to memory of 2844 2684 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\066379a9af88d64098e3bd8a389e4435_JaffaCakes118.exe"2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2844
-
-