Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe
-
Size
272KB
-
MD5
30689d5387b5fcf72042e91e7e0e9bfe
-
SHA1
8ad20a9b0a71cfc6b2e6c303971d57128daf79d0
-
SHA256
9bb9c3895e3b3881593bc95f58efe149ef15439ed5b53c2d9387f83e5ce1bb8b
-
SHA512
47963523f8af9f7b7fb6a20bb9356a7503d717346a6280bb9d4c84e4a727849f235aefe32743818e89868c2ce2e9860c9d317843f41607e0dfe7596d9ad14c4f
-
SSDEEP
6144:Q6Q4uYV6jvSDxs36+7HqPFpawolmR8e2bLqU/i:Q6Q4/V6Tos36+7HAzawBR8P+r
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3040 Drymia.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Drymia.exe 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe File opened for modification C:\Windows\Drymia.exe 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe File created C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job Drymia.exe File opened for modification C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job Drymia.exe File created C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Drymia.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main Drymia.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\International Drymia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe 3040 Drymia.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 3040 Drymia.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30 PID 2572 wrote to memory of 3040 2572 30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30689d5387b5fcf72042e91e7e0e9bfe_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\Drymia.exeC:\Windows\Drymia.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD530689d5387b5fcf72042e91e7e0e9bfe
SHA18ad20a9b0a71cfc6b2e6c303971d57128daf79d0
SHA2569bb9c3895e3b3881593bc95f58efe149ef15439ed5b53c2d9387f83e5ce1bb8b
SHA51247963523f8af9f7b7fb6a20bb9356a7503d717346a6280bb9d4c84e4a727849f235aefe32743818e89868c2ce2e9860c9d317843f41607e0dfe7596d9ad14c4f
-
Filesize
372B
MD5769bddc32e9941bae8c87065ebaa1c7f
SHA1fb80cf94564f8afa8668cc238b98d29ed617a960
SHA256df4ab56e6e087146a7e9b9acd5314419405aa82f769688ff5ac01568f847896b
SHA512963c58109475960a8376739b378b815e2b3c80b343d552cc97af3849e8fc04b67f32d6b667485cef95b7523f832a6eca008a63571183847df405db0683161a67