Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe
-
Size
494KB
-
MD5
0f7a03ff397a95e57cefbdbf8954ea30
-
SHA1
c2bae51fbe3c435cdf66cc55c7829ed76a3b85e5
-
SHA256
1eea1e550d3f9ef97d42286fef537f3b29a93aa95e8cb859fb793383bcbd731d
-
SHA512
0a763fe989750731fe703d23f5983e4a85344483f36786b2e678402ef6238b541837fb14681890a1ce69392923eef3916ef9cc9513488bce155a5fb7ad7dad45
-
SSDEEP
12288:aGSB9TpivQmcKIpbSR/J7zMhv8NtTirdorX6:aF9wImcKI8R/J7zMB8TEdoG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1064 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2236 askldjkl.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 askldjkl.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\askldjkl.exe 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe File created C:\Windows\GUOCYOKl.BAT 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe File created C:\Windows\askldjkl.exe 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language askldjkl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2720 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe Token: SeDebugPrivilege 2236 askldjkl.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2236 askldjkl.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1988 2236 askldjkl.exe 30 PID 2236 wrote to memory of 1988 2236 askldjkl.exe 30 PID 2236 wrote to memory of 1988 2236 askldjkl.exe 30 PID 2236 wrote to memory of 1988 2236 askldjkl.exe 30 PID 2720 wrote to memory of 1064 2720 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe 31 PID 2720 wrote to memory of 1064 2720 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe 31 PID 2720 wrote to memory of 1064 2720 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe 31 PID 2720 wrote to memory of 1064 2720 0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f7a03ff397a95e57cefbdbf8954ea30_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\GUOCYOKl.BAT2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Windows\askldjkl.exeC:\Windows\askldjkl.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD59eabb865e2e0d58f8dc928c9058876bf
SHA1cb5b4eae725f69e4457831242e4355cdb1ed6467
SHA25607fce69cb8d1cd89e8494bf010d1f380e44c29b76fcd15db1afeb471e4ce41c3
SHA51206244d02a785cdf36909d52201c9212445f4188f00e642c320d676c566fd8f2b97c5e5d126fb07753dcb261c1e38c0c66dcadbf9c476ed544ebaaa9246f1a611
-
Filesize
494KB
MD50f7a03ff397a95e57cefbdbf8954ea30
SHA1c2bae51fbe3c435cdf66cc55c7829ed76a3b85e5
SHA2561eea1e550d3f9ef97d42286fef537f3b29a93aa95e8cb859fb793383bcbd731d
SHA5120a763fe989750731fe703d23f5983e4a85344483f36786b2e678402ef6238b541837fb14681890a1ce69392923eef3916ef9cc9513488bce155a5fb7ad7dad45