Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
0aa9a6d929cb60fa85f5542d3e737a18
-
SHA1
0d709241a7182d93f5d3dd1b0b265e01a6dc45bb
-
SHA256
ecb796e74a8974001a3bb55512be88dc22ed959bee66af5de984c4d6f1958d55
-
SHA512
685de6249781c0c2f9d5c318e9c6a1fda65ce73f141079a4636ded47d39a2b5f07df274260fe3125300e36b8d80da0ad5e0ef9c0941c6fb963f552ad139f34c8
-
SSDEEP
24576:6bfU+VvONDdmDyv8N+JXEZWNNhTUkCYr3JBMPuNV1seRlX0k/616zzyiMcdT51Y8:zuowDk8N+JrNnJJnsebA165z1Y8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe -
Loads dropped DLL 6 IoCs
pid Process 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 2744 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe 2744 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\H: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\Q: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\R: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\V: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\I: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\O: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\T: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\Z: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\J: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\K: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\L: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\N: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\P: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\S: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\Y: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\E: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\M: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\U: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\W: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe File opened (read-only) \??\X: 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2744 1688 0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe"C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118-0698.exe" "C:\Users\Admin\AppData\Local\Temp\0aa9a6d929cb60fa85f5542d3e737a18_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD55a8222c703b4a34f2227a652a49a2827
SHA1ba8b1c8f341219d608a0a5a2a2c8d63c19697d05
SHA25617936188efac05a0ef9fd87a79b268445ce307dd37a6f9206d116f195ab049c9
SHA5127b1c200cf96ebb5b660fb11a85e3daf908a6e4d984c90207b5afa2444703fc784897160cf05a4bc592ecd908bf09f8dbd9195a4c0c07f1caef04bbd7c6624d9d
-
Filesize
519KB
MD5849f98092dfabece6abeb4e21a519a83
SHA13044103e549dcb8ba22c7f1daf6e0bf1012eb444
SHA256006d762b6b1921dccf11ff5a9c47e78dff87d69e984423fdef801a8c1cf5cdfc
SHA512e306b68d7fd03258dbbbb0874702ac43ee18538ea3848bf4125e24dce9b834afac90b9d1eb29f20a05a7eb0735d25001e8cedde5dd90aa234e1682e774d2e38c
-
Filesize
426KB
MD5ae5f4292bd15228853f65a1004517adc
SHA1410b32fd3fe4642644ad91ac60c69b86ec2762dd
SHA2561493ddd89d403820da52440647a41f9f9579e8cb806e679a294a2638295962ba
SHA512a89688f8e56b158be817444c8ccec0aad98eb141ec19574998fe5752410b9131bade826a238a6c323c0ff0e25e2c06547c238344fdcb3a210ed36dc332320ce3