Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 05:33
Behavioral task
behavioral1
Sample
2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe
-
Size
42KB
-
MD5
2bc387a8d3c6574db3a74fd0e757545b
-
SHA1
deb8991b8ff5e2ae5daffa2d97525affcbc006f9
-
SHA256
e4bfa4b1227e615c8869d781fe0d663d173c797bb91e5804fc06b38485cf3839
-
SHA512
c91be20c0197ed7807a3cc6db019d23bd6122e36ce9175626438d9596d2f476ff11b6007d49e7cc558d8abd5eb0aa4f9c9582190ab318bb3b54f8b564dc6c74a
-
SSDEEP
768:HBCmFxJuAhfNUK0cLlF+jqPLkqZWaKZ9e7z913lqYrZUC9N660oi:hL5f30aF++LZWa0Uz73UsUm0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2708 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2752 rundll32.exe 2752 rundll32.exe -
resource yara_rule behavioral1/files/0x00070000000186de-23.dat vmprotect -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rundll32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sfcos.dll 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sfcos.dll 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Windows\SysWOW64\systemp 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2748-6-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2748-21-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\Saturday 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Program Files\Monday.ime 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Program Files\Tuesday.ime 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Program Files\Wednesday.ime 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Program Files\Sunday.ime 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe File created C:\Program Files\taskmgr.upx 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2888 2752 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2752 rundll32.exe 2752 rundll32.exe 2752 rundll32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2660 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2660 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2660 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2660 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2708 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2708 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2708 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2708 2748 2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe 32 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2708 wrote to memory of 2752 2708 cmd.exe 35 PID 2752 wrote to memory of 2888 2752 rundll32.exe 36 PID 2752 wrote to memory of 2888 2752 rundll32.exe 36 PID 2752 wrote to memory of 2888 2752 rundll32.exe 36 PID 2752 wrote to memory of 2888 2752 rundll32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2bc387a8d3c6574db3a74fd0e757545b_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\sfc.exe"C:\Windows\system32\sfc.exe" /REVERT2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\del.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Monday.ime",Runed3⤵
- Loads dropped DLL
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 2564⤵
- Program crash
PID:2888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD58399229905d63bdc185adbc1a88c9616
SHA1d0b4af3cc18c3c6895794710a40f5a77086e8924
SHA2562f34e5a074ec267e8522c1d5ae8fd5cb805218bbce4e2b8fd697eb51e4636865
SHA5122b072f3695527e7c5cc8d7a1d85286cfb77d686526daca47e710114f1645c15bd2e6e140c3744278e5a92d6678627ccfddbcce48b1ab3b010cb97b66abf04a02
-
Filesize
70B
MD5caa555f2383857e231ba5f74ebbce0a7
SHA1f98a9a0564aa0dddce8dd421d6ce2558d3ce1192
SHA2560ff5d73687864cb762d58f5138cba9e506276a31f2bcc02705f3f35006152fa0
SHA5127903e539f810565dcd411509d22226b7fc0082504e736164068360c30b3a18fbcabc7605288130b5e68f44e6afb9073541076cf0766433226dfb89b3cee6f60d
-
Filesize
40KB
MD584799328d87b3091a3bdd251e1ad31f9
SHA164dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA5120a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4
-
Filesize
4KB
MD51bc38d164c166eda1e6095a07ad25c1e
SHA1e638bf29cd0579e6a7170eb18194879b01a21086
SHA256cf449c0f6af9dcf832804aa2a66f12531ecfbaf89f5789ce0bdcb946aafd06d5
SHA5121b6ac09e42ad1922d589ca1b4cf6bfca5652e8bab9f381ef982ee30e7e9192d426446f1538380dd152ba9ecb9a1b2e5d74e0082ad943dfcf662eb5a4744c9752
-
Filesize
270B
MD5b7d6eb4a179396310db90c402a577fd5
SHA1c1236c9ed58afef128e0163b7a8153a4bcfd09d0
SHA25666ddf91b5503f0c9063d51a3499cfee1964e2dc4540941c6948c23da9e8bb22c
SHA5127a4e7d44b27494fc647da0abb0d8d8f6a374b72862572a93b2e07235fed003af4597dcc566ac58d6785ca606a3c4a99c215a3c4f00399b20d3dbba2bb6a6ddcf