Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe
-
Size
116KB
-
MD5
159a0a7bf6c1ee8085430cbf30d554fc
-
SHA1
d7d11f0e995f8c3c4e4e337d74be8546f1875ede
-
SHA256
9ad212c6a644a9a0b6b95fc0f554682a0bea61266f85875fcf31d2dbcfa26d46
-
SHA512
abbc8fe7e24f2a9d723c77696b1bc2be3a37e6a85c707644b7470614620f2698709890ae4b7ef3628b254d7662bd21c07b8463f4a237417b0ec1fbf9c6b3fb74
-
SSDEEP
3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5o/U:SZRcx5VMpOKXur2Qf+5o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2708 Zrahoa.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe File created C:\Windows\Zrahoa.exe 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe File opened for modification C:\Windows\Zrahoa.exe 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Zrahoa.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Zrahoa.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Zrahoa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main Zrahoa.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\International Zrahoa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe 2708 Zrahoa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2708 2420 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2708 2420 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2708 2420 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2708 2420 159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159a0a7bf6c1ee8085430cbf30d554fc_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Zrahoa.exeC:\Windows\Zrahoa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5309fc7d3bc53bb63ac42e359260ac740
SHA12064f80f811db79a33c4e51c10221454e30c74ae
SHA256ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa
SHA51277dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8
-
Filesize
372B
MD567da32b749ea4a10be9d5ac24b05fbda
SHA15074dab648d76d9df4435b805374a4ba8c945482
SHA256b6e766f16164b9a35c942a3d8b1ba7a9c7f89cf6dd1665a5d67c8e666339368f
SHA5125e3ea53fd0814e35c0de756b2f91b26e377ee2eecbfdc3274ad22bf182b25da33cb86f73b0ab3b5b231696aff1d21bbe112aa53be359f39ac062c096cded945d
-
Filesize
116KB
MD5159a0a7bf6c1ee8085430cbf30d554fc
SHA1d7d11f0e995f8c3c4e4e337d74be8546f1875ede
SHA2569ad212c6a644a9a0b6b95fc0f554682a0bea61266f85875fcf31d2dbcfa26d46
SHA512abbc8fe7e24f2a9d723c77696b1bc2be3a37e6a85c707644b7470614620f2698709890ae4b7ef3628b254d7662bd21c07b8463f4a237417b0ec1fbf9c6b3fb74