Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 21:45
Static task
static1
Behavioral task
behavioral1
Sample
109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe
-
Size
119KB
-
MD5
109da14f7ea14aca656fc404bd7e0d5c
-
SHA1
05135c035e406fd59d21eee22f0781eddb34dac4
-
SHA256
f31e9010f4c0ef6f58ab6a89931d03628d9fe1c896c7446b3db7a51fe085cfa1
-
SHA512
f77aa7a8e62a694ea063cd0a6c1b30670397d80e2e98c81df4cd165537301db7670efe1cc2f17db75304a37c8ba616680e967fcde90e0d075307746ba908967a
-
SSDEEP
3072:6zdYe6SkN2NsZQXw6QiLs3m1EplhRgKJFL:CySkNCsZvZm6plDL
Malware Config
Signatures
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2328-24-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/2328-28-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
pid Process 2328 im.exe 2100 pwha.exe 2924 astr.exe -
Loads dropped DLL 15 IoCs
pid Process 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x00070000000186fd-6.dat upx behavioral1/memory/2328-24-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2100-46-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/files/0x0007000000012116-44.dat upx behavioral1/memory/2512-42-0x0000000001F70000-0x0000000001F85000-memory.dmp upx behavioral1/memory/2512-29-0x0000000001F70000-0x0000000001F85000-memory.dmp upx behavioral1/memory/2328-28-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2100-67-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language im.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language astr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2924 astr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2328 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 30 PID 2512 wrote to memory of 2328 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 30 PID 2512 wrote to memory of 2328 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 30 PID 2512 wrote to memory of 2328 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 30 PID 2512 wrote to memory of 2100 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 31 PID 2512 wrote to memory of 2100 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 31 PID 2512 wrote to memory of 2100 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 31 PID 2512 wrote to memory of 2100 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 31 PID 2512 wrote to memory of 2924 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 32 PID 2512 wrote to memory of 2924 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 32 PID 2512 wrote to memory of 2924 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 32 PID 2512 wrote to memory of 2924 2512 109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\109da14f7ea14aca656fc404bd7e0d5c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\im.exe"C:\Users\Admin\AppData\Local\Temp\im.exe" /stext im.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\pwha.exe"C:\Users\Admin\AppData\Local\Temp\pwha.exe" /stext pww.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\astr.exe"C:\Users\Admin\AppData\Local\Temp\astr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5483e560f1527bd2c3e1124ce0756bc17
SHA155d285d22c88a63236fa9d461536a34809edd20d
SHA2566633c5afc2d0f67d28d23d255cb5640389617b7a0e9f67a0ec1d1d8c7a074511
SHA5123642a2dda07d6c09d22646d0334089d85792b9eb7199541ae449c08f587bf2fc35dea83d1207efda8108c2603f01c2d7ae0708593352bbb17d0f9a9a62d86cd4
-
Filesize
28KB
MD53ec2034c581d204b309c9e3bb0df6385
SHA17e58247ec023ec4f55010bc79c9268fed2d4191e
SHA256711a85e1348ec2f2a50271501113573f250c131c5f4fe8d32ec2d166f6ef8fd7
SHA512bc00d298fbed0f13c9e9b5c2ae9571513e73ac316ce360274b59038968e9a2a04271adf72c887457f202df51af644d43ffd901bcb45aedebf2a0d943c5efc872
-
Filesize
41KB
MD5623a6a486569c3a808005d5ec9a325c0
SHA19c99561c36a46db84df61484ded3e44c0c832fb6
SHA2566de0689a21855d5f761bb72688180bd47ee6d01be9f21fb65c337419ee1c94e9
SHA512c592f3f14cc1b332af16e73311febda56380d8f22f0f246ce16e6b13e89710c5f28cabdcd2fe39b65d6f9117173a7bec01520352dd364dfabb6d5caeb785fe02