Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe
-
Size
282KB
-
MD5
1595c2a9b47cc32fcebb47e63e416290
-
SHA1
e08cbbe3b87c53ba49eec7d0c5d3359c14017a32
-
SHA256
d847b39df7c3c16839e0fbe9a07187fce39b7ca9521201be82d1bcacd2b60c04
-
SHA512
35b8b985b8dedfe99a388b17170541d6c983571f5d11239fce900200f80ef201a41779971fe5c3142aa028a7525553f200da089a6184ad65b7a1fc591f6751b6
-
SSDEEP
6144:y/Kod5J1iij6ijaGxmCAaMSbGqJ92rnxWXYbG:M7DD2EESN2rBq
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2536 blblckc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\blblckc.exe 1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe File created C:\PROGRA~3\Mozilla\dvhufib.dll blblckc.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blblckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2432 1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe 2536 blblckc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2536 2240 taskeng.exe 32 PID 2240 wrote to memory of 2536 2240 taskeng.exe 32 PID 2240 wrote to memory of 2536 2240 taskeng.exe 32 PID 2240 wrote to memory of 2536 2240 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1595c2a9b47cc32fcebb47e63e416290_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2432
-
C:\Windows\system32\taskeng.exetaskeng.exe {D8C10F37-0159-4EC6-B1B2-67F2F4F5B5FC} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\PROGRA~3\Mozilla\blblckc.exeC:\PROGRA~3\Mozilla\blblckc.exe -iljnpcl2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD53f5c559136e72d44b2cb7eb02cde2bd0
SHA1d5ed520fd447fb183f2281d9c469010eb52c161b
SHA2564dabbcf117046dd4ebd5d15c9441f278b180783dee37047c68f049aec297b455
SHA5121c810c8870d25a51d2cfdc8b0b50429dcbcb1cedfe8569af547eace9000c074f081cc7a22478e97de4c3cfd7a869ff2a6bcb144a8e53f6b9598bbf3c3b4ef62e