Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe
-
Size
153KB
-
MD5
10260bf8d9922436d149a9fe619d5f30
-
SHA1
dc9a5d2846846979c895525576d2ac6e1385872b
-
SHA256
8fe30d4e02580e505defba5c75d2d090c28e39b6e3132ddb97b75653d631fe37
-
SHA512
49457f62a4588b49fb2c202b684cdd790ad9e5bd1ff6f88495d4f019cf1c6fceb431cc870fd4ae36a336b821fd693c793b56dd493ff8a04410d43a502749c5cb
-
SSDEEP
3072:EDjsDuYR47dkiydD8Yr9+XDWJc8WjD7cNepIo0v2G0zudJ:E91IDdr9+Xb8gD+P0zuT
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2924 blblckc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\blblckc.exe 10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe File created C:\PROGRA~3\Mozilla\dvhufib.dll blblckc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blblckc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2924 2372 taskeng.exe 31 PID 2372 wrote to memory of 2924 2372 taskeng.exe 31 PID 2372 wrote to memory of 2924 2372 taskeng.exe 31 PID 2372 wrote to memory of 2924 2372 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10260bf8d9922436d149a9fe619d5f30_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2532
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1831481-AF31-4E5A-9C5A-C3120B739EF3} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\PROGRA~3\Mozilla\blblckc.exeC:\PROGRA~3\Mozilla\blblckc.exe -iljnpcl2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD537c52d3279b75266da0f892889a20a19
SHA1fbccb3839c308da6a4dd82f561fefa8adfcef962
SHA256a98121ec9c0408e1f193398ac508c4056fa1ce0689bfd96682c98e87f738d62c
SHA5121126161e155d27a91ca4de7de54cd96a8d0d7f8a37dae42cf6ed7ff63e457cbb2ea5afb8f48cd8e45a758f5fac5c2e982c5a80651872dc98f34b8ff962bb3849