Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 05:19
Static task
static1
Behavioral task
behavioral1
Sample
09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe
-
Size
20KB
-
MD5
09124d57a418b3c3fffbb6a215f002d3
-
SHA1
f2e52c955cdee51ab43cb956c6ad7bfd6613c29d
-
SHA256
ab2ace673c6a0adc090d38f821fa6e742b489e95cc5157e1544a6ffcea74c1e0
-
SHA512
5d3c9ecf77b34aeb5acef4ee68f76565f5c693b521c7cdb2d5dd4f05ecc58bbfab597cb3e7f605d17f7819c066cd4ecf813e17ae0afe567ef23bea4a2d71caa8
-
SSDEEP
192:8R7AXojFG5rCbaNaiLGpKLb2QUFicDswJ+6UCc5v9/1F2sWJ5M8o93C8CcVETGWR:t4jFG6DjpKHGMcDs8Uxnfkq8o9XuiK7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2168 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2996 csrcs.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 svchost.exe 2168 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrcs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrcs.exe" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1960 set thread context of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 2996 set thread context of 2848 2996 csrcs.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 1960 wrote to memory of 2168 1960 09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2996 2168 svchost.exe 31 PID 2168 wrote to memory of 2996 2168 svchost.exe 31 PID 2168 wrote to memory of 2996 2168 svchost.exe 31 PID 2168 wrote to memory of 2996 2168 svchost.exe 31 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32 PID 2996 wrote to memory of 2848 2996 csrcs.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09124d57a418b3c3fffbb6a215f002d3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\csrcs.exe"C:\Users\Admin\AppData\Local\Temp\csrcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD509124d57a418b3c3fffbb6a215f002d3
SHA1f2e52c955cdee51ab43cb956c6ad7bfd6613c29d
SHA256ab2ace673c6a0adc090d38f821fa6e742b489e95cc5157e1544a6ffcea74c1e0
SHA5125d3c9ecf77b34aeb5acef4ee68f76565f5c693b521c7cdb2d5dd4f05ecc58bbfab597cb3e7f605d17f7819c066cd4ecf813e17ae0afe567ef23bea4a2d71caa8