Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad
Resource
win10v2004-20241007-en
General
-
Target
2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad
-
Size
132KB
-
MD5
2b599dda27a3c0cf5f5901a056367560
-
SHA1
a2fb8a7547bc2a52530d15715a3f2f464f7bf474
-
SHA256
069724dd48f8d4ef5b09530f2695d6b9627c4e799ed4f8df797605b2e05b4350
-
SHA512
094f997807c253ff332df1f1462bde8969050f31cf5f048a3a868222a89590534b038df7211837ea9431d663a6bfab92754cbe5d2e547b00599622d70d2766b7
-
SSDEEP
3072:X8t6nY7UmZsArG/ZsArG2ZsArGpZsArGQZsArG4j:X8G+UmZTmZTvZTsZT9ZTTj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2908 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2908 AcroRd32.exe 2908 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2888 1864 cmd.exe 31 PID 1864 wrote to memory of 2888 1864 cmd.exe 31 PID 1864 wrote to memory of 2888 1864 cmd.exe 31 PID 2888 wrote to memory of 2908 2888 rundll32.exe 33 PID 2888 wrote to memory of 2908 2888 rundll32.exe 33 PID 2888 wrote to memory of 2908 2888 rundll32.exe 33 PID 2888 wrote to memory of 2908 2888 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2b599dda27a3c0cf5f5901a056367560_JaffaCakes118.jad"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5595b0f142017ecfa1c886ef7f3c1f076
SHA161cb91e2c4b6ff9e81f9e30e42dbed319bd992f0
SHA256b15ff4fa07b9dd6278ada55950f6166db170697a1d78ec0bdc29d9b71688be35
SHA5120844e9ee16b6e10956133e12e738352cf76f1840a4a4c7cde86b846b54192b1547d7e6cd3ed89e751789c2d7bda96252321f9ba9ee1fce2cb4ce10dc578dcfc1