Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe
-
Size
986KB
-
MD5
14c717066c5655b3beb55dcfa3faa1d2
-
SHA1
a9781f5bf348974c97b3eaef8f5936b31e331e73
-
SHA256
1252ae8247e15d4aa197bf461fc87788d9cab2a095bb888795ce28a9c8dc413d
-
SHA512
58b12a08e0375b1c8d27e760f01c9e87f02a94ae69e1f5d0d74fab79010245a987e2b18bff993d7a78c2a9f7a1d933292ff69392be9eabf81d3de18107762e54
-
SSDEEP
24576:o0tjgWoWiCDgdVKGPzDLQNTuBcxVgUz0:7npiogdgMIacpz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2624 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2576 49712.exe -
Loads dropped DLL 4 IoCs
pid Process 2624 cmd.exe 2624 cmd.exe 2576 49712.exe 2576 49712.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118 = "\"C:\\Users\\Admin\\AppData\\Local\\49712.exe\" 0 27 " 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\49712 = "\"C:\\Users\\Admin\\AppData\\Local\\49712.exe\" 0 36 " 49712.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49712.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2620 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2576 49712.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe 2576 49712.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2624 2192 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe 30 PID 2192 wrote to memory of 2624 2192 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe 30 PID 2192 wrote to memory of 2624 2192 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe 30 PID 2192 wrote to memory of 2624 2192 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe 30 PID 2624 wrote to memory of 2620 2624 cmd.exe 32 PID 2624 wrote to memory of 2620 2624 cmd.exe 32 PID 2624 wrote to memory of 2620 2624 cmd.exe 32 PID 2624 wrote to memory of 2620 2624 cmd.exe 32 PID 2624 wrote to memory of 2576 2624 cmd.exe 33 PID 2624 wrote to memory of 2576 2624 cmd.exe 33 PID 2624 wrote to memory of 2576 2624 cmd.exe 33 PID 2624 wrote to memory of 2576 2624 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\596903.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\reg.exereg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 14c717066c5655b3beb55dcfa3faa1d2_JaffaCakes118 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2620
-
-
C:\Users\Admin\AppData\Local\49712.exeC:\Users\Admin\AppData\Local\49712.exe -i3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435B
MD57657ee8c6f9b51b768b3d8f50b48f6f0
SHA1f657579db1a39e35391ca63ce41d2d42cf56c0fb
SHA256421ffbdf730166b6ec55947fa15bf107111f6b4a6a4b327833d3ae728d1cb7d6
SHA51251349d6bb98de1f8712767cc844d964b78cdcda5253a8ed15c8232182f001e828edf3ffd3a3cc92569e60aafbc64643502efd23edb6a09fbdceb7c30b60f62af
-
Filesize
986KB
MD514c717066c5655b3beb55dcfa3faa1d2
SHA1a9781f5bf348974c97b3eaef8f5936b31e331e73
SHA2561252ae8247e15d4aa197bf461fc87788d9cab2a095bb888795ce28a9c8dc413d
SHA51258b12a08e0375b1c8d27e760f01c9e87f02a94ae69e1f5d0d74fab79010245a987e2b18bff993d7a78c2a9f7a1d933292ff69392be9eabf81d3de18107762e54