Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe
-
Size
136KB
-
MD5
0a9ebe4d50cd2f1ff0254509d6c4eaa0
-
SHA1
ada0d38c6f03ec8b5d84851e4bee6dcd587fd937
-
SHA256
522157df7fa767b44ffaf178af86c7eb37b4fca96a9d18912031e974794b0c86
-
SHA512
c4f0b0d0cd1395f153a4f74cbb0b6951af46d3c97d30b1b26ae95cb554a590126cbab886af8185129d3e163bbe8ce9ddb98570a95768648ec44133d03b891beb
-
SSDEEP
1536:DY+gJL9KHikLALc9aHQQbo5/YnuNqpK5TVF+b9bOpLMynIEe3vS7Gmx4qOqSai9v:LRbg2RauD5RF+b8LMMIEe/IG6zNSaix
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2244 cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\259450364.bat 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe File created C:\Windows\259450488.bat 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1320 wrote to memory of 536 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 31 PID 1320 wrote to memory of 536 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 31 PID 1320 wrote to memory of 536 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 31 PID 1320 wrote to memory of 536 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 31 PID 1320 wrote to memory of 2244 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 33 PID 1320 wrote to memory of 2244 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 33 PID 1320 wrote to memory of 2244 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 33 PID 1320 wrote to memory of 2244 1320 0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a9ebe4d50cd2f1ff0254509d6c4eaa0_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\259450364.bat2⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\259450488.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99B
MD5d397624208e62afe892da9d080f61fea
SHA1a1e4f495b59c6670638eba3ec235bb7a8f3cb756
SHA25658d166f00fd3474f15e275dc025ca9f56c867011acb65c79c73d3bc27b4ae5c3
SHA512a30df9735d9e086903de1b8dac30b1b5352256e652512149abddbbf290c008ce717f71d822c3a7718e31c84b7db728161afbe039fb0367ba0ec7a0c3b67cc84e
-
Filesize
219B
MD581e7a0278bae79ff8f8d9ba4834ddaf9
SHA1841110efc25a58c4ddf019d7a07624a07d336aa2
SHA256d4a31bae5a40263a9e878175b0783b6e67858538293185daebb8f8599d09f033
SHA512f0a7af4dab3aaa7341341e831fb86e474235f0eea816b3362642bfea956a7e6421fb7cc9e576da67f22f6f407f2006c4efa8a6c617e317eb2ca9513513badb0a