Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 20:17 UTC
Static task
static1
Behavioral task
behavioral1
Sample
14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe
-
Size
165KB
-
MD5
14c916f564d38ab6a1f2433acb77b40c
-
SHA1
fb1840eca54075edf9daf1afe6abbd8ca254bb5e
-
SHA256
5ea3ba4978a6d36f509aa3bcf8b11fe6b6ce0bcae53afeb20a1bfd97c9af56c1
-
SHA512
3ddcd21a371b4d7ef6b7fbbeaa637439935644bc11aca931f0bb81df2f46561d7a878ef4be0bd6eb3a7e51c8b601fcc050634f3aab96ac508511026e258c1bec
-
SSDEEP
3072:Y4HCWau/PlYeuL7ZLFh6Ca6cbL9l2hzB3fJCC6j8+Er6ez4w:HiI/PlY37ZLF4Ca6WABqBOvsw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2116 ins8397.exe -
Loads dropped DLL 4 IoCs
pid Process 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ins8397.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2116 ins8397.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2116 ins8397.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2116 ins8397.exe 2116 ins8397.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2116 2120 14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14c916f564d38ab6a1f2433acb77b40c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe"C:\Users\Admin\AppData\Local\Temp\ins8397\ins8397.exe" ins.exe /e6932806 /u50d1d9d5-cf90-407c-820a-35e05bc06f2f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2116
-
Network
-
Remote address:8.8.8.8:53Requestapi.socdn.comIN AResponseapi.socdn.comIN CNAME615321.parkingcrew.net615321.parkingcrew.netIN A13.248.148.254615321.parkingcrew.netIN A76.223.26.96
-
Remote address:13.248.148.254:80RequestGET /installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/config HTTP/1.1
User-Agent: DownloadMR/3.0.21 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
Accept-Language: en-US
Host: api.socdn.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Accept-Ch: dpr
Accept-Ch: device-memory
Accept-Ch: rtt
Accept-Ch: downlink
Accept-Ch: ect
Accept-Ch: ua
Accept-Ch: ua-full-version
Accept-Ch: ua-platform
Accept-Ch: ua-platform-version
Accept-Ch: ua-arch
Accept-Ch: ua-model
Accept-Ch: ua-mobile
Accept-Ch-Lifetime: 30
Content-Type: text/html; charset=UTF-8
Date: Fri, 04 Oct 2024 20:17:42 GMT
Server: Caddy
Server: nginx
Vary: Accept-Encoding
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_DHvbVZ6DQVzckbTKO7jkIuRK8uk3Q5jNDpbHOqzq9hf2alf2C3xYQzGNltcjAltNoD8O6A5edZUWhghlb0y00w==
X-Buckets: bucket102
X-Domain: socdn.com
X-Language: english
X-Pcrew-Blocked-Reason: hosting network
X-Pcrew-Ip-Organization: Datacamp
X-Redirect: skenzo
X-Subdomain: api
X-Template: tpl_CleanPeppermintBlack_twoclick
Transfer-Encoding: chunked
-
Remote address:13.248.148.254:80RequestPOST /installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/event HTTP/1.1
User-Agent: DownloadMR/3.0.21 (MSIE 9.11;Windows NT 6.1.7601 SP1;WOW64;.NET CLR 2.0.50727 SP2; .NET CLR 3.0 SP2; .NET CLR 3.5 SP1; .NET CLR 4; .NET CLR 4.0;m=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F;northstar)
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Host: api.socdn.com
Content-Length: 3401
Expect: 100-continue
ResponseHTTP/1.1 100 Continue
-
Remote address:13.248.148.254:80ResponseHTTP/1.1 200 OK
Accept-Ch: dpr
Accept-Ch: device-memory
Accept-Ch: rtt
Accept-Ch: downlink
Accept-Ch: ect
Accept-Ch: ua
Accept-Ch: ua-full-version
Accept-Ch: ua-platform
Accept-Ch: ua-platform-version
Accept-Ch: ua-arch
Accept-Ch: ua-model
Accept-Ch: ua-mobile
Accept-Ch-Lifetime: 30
Content-Type: text/html; charset=UTF-8
Date: Fri, 04 Oct 2024 20:17:42 GMT
Server: Caddy
Server: nginx
Vary: Accept-Encoding
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_CBd+jIb6Vt3earOrtGLAhAn9E/WD5SP1pwbjc63SL8wXPimN7iKIMJwYUXc+iurjd/36LHj+JVIuDig41PNrkw==
X-Buckets: bucket102
X-Domain: socdn.com
X-Language: english
X-Pcrew-Blocked-Reason: hosting network
X-Pcrew-Ip-Organization: Datacamp
X-Redirect: skenzo
X-Subdomain: api
X-Template: tpl_CleanPeppermintBlack_twoclick
Transfer-Encoding: chunked
-
13.248.148.254:80http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/eventhttpins8397.exe4.8kB 9.0kB 13 14
HTTP Request
GET http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/configHTTP Response
200HTTP Request
POST http://api.socdn.com/installer/50d1d9d5-cf90-407c-820a-35e05bc06f2f/6932806/eventHTTP Response
100HTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD5ae117f47bd80e5dcf72cf81347fceb73
SHA11cd3e4c5fc9fb317b7a8eae6c94d53078800b635
SHA25649b0ec8a4000cb30f15b318bef4b6f59be2d0f7365be4c4b2b4fd5607e16e23c
SHA51272d322ec9b13e9ede1967707129f2941328ec75487aa5ea205eab0780ef26c33f253204ce08932052a6ed19d13bd62e68b4f795ef17717b9f31e5a76a9f0c16f