Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 02:17
Static task
static1
Behavioral task
behavioral1
Sample
15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe
-
Size
505KB
-
MD5
15c59fd06dd14e231b0b0b71e22ab030
-
SHA1
017eedab69d5c63126c14af586bb20f1cc6aa62e
-
SHA256
4846a9411ecb32ff511fbcabddc9114bd05f00566d4831db057da95afd16ee53
-
SHA512
2fce1a4634a95dcc665b87738475e70ed8afb8c2b236b269ec009c0a448fda99c78fcbcbd5335e1ed12f5bff2d44a99b66af92d8d8d067fd989470190cdcb1c1
-
SSDEEP
12288:Iu3URWtsYf8PemjE8h0UxH9ND6fvhMrf1seW2/agR:IkQe8PemjTh0Ul/8vh+qUR
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2708 uhtmzji.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\mwcbflb.dll uhtmzji.exe File created C:\PROGRA~3\Mozilla\uhtmzji.exe 15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uhtmzji.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2932 15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe 2708 uhtmzji.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2708 2308 taskeng.exe 31 PID 2308 wrote to memory of 2708 2308 taskeng.exe 31 PID 2308 wrote to memory of 2708 2308 taskeng.exe 31 PID 2308 wrote to memory of 2708 2308 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15c59fd06dd14e231b0b0b71e22ab030_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2932
-
C:\Windows\system32\taskeng.exetaskeng.exe {90A6B9A6-756F-4268-94F8-B136DE696B60} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\PROGRA~3\Mozilla\uhtmzji.exeC:\PROGRA~3\Mozilla\uhtmzji.exe -fbfzjgk2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD5c71c387163d80081360af61d0491fe27
SHA1b328071f5f4765af43bcc77580328ef1de9fe94d
SHA2569b68a1e5c20c21e53952aa98fd12e0be8b9235846a46dc7ffc24bb17bbce8302
SHA5125d544d722c00cd096bdd4f2ce89a846c24713b59b167e40c033b12afb53594aaa01e0abe20551b2b2a52d712dabb4d0a45b75edda8d3d96bfe369f1c1bc17f7e