Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 16:45
Static task
static1
Behavioral task
behavioral1
Sample
30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe
-
Size
161KB
-
MD5
30e89c91bf446bb1be725db2da3a51ef
-
SHA1
1311d784356df931281cd612f50cf3739de3ec17
-
SHA256
dc9a7e5b843aab901fd4420c49108a61fb17584c1f8e78aca94e1cfb0ba242cb
-
SHA512
cc6f7a34dfaef81b80c104be63ada7d5be06f3a0aa4da052a5475ddd6f8acf5b469a5c4408883595174f4d6c351e2d75d4d8b41688c0c283fbaef4df12bfb54a
-
SSDEEP
1536:CAJZlOzMqcQihjbWpGkpzVKiPfeEGklAn+bQiq3X8tU7SCcKjoUZn/lEoRDBf3:COjOJHYq9PvQn+bQT8i7PBjoUR/lEQ3
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XL8381D8F2-0288-11D0-9501-00AA00B911tb} winhost32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{XL8381D8F2-0288-11D0-9501-00AA00B911tb}\StubPath = "C:\\Windows\\winhost32.exe" winhost32.exe -
Deletes itself 1 IoCs
pid Process 2932 winhost32.exe -
Executes dropped EXE 2 IoCs
pid Process 2776 winhost32.exe 2932 winhost32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\sysm.ss 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe File created C:\Windows\winhost32.exe 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe File opened for modification C:\Windows\winhost32.exe 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe File created C:\Windows\sysa.ss winhost32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2776 2440 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2776 2440 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2776 2440 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2776 2440 30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2932 2776 winhost32.exe 31 PID 2776 wrote to memory of 2932 2776 winhost32.exe 31 PID 2776 wrote to memory of 2932 2776 winhost32.exe 31 PID 2776 wrote to memory of 2932 2776 winhost32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30e89c91bf446bb1be725db2da3a51ef_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\winhost32.exe"C:\Windows\winhost32.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\winhost32.exe"C:\Windows\winhost32.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5185de443ff348506e3c4e98eef1b05ba
SHA19e7b959d6b63eb7f3b899d3c81d205d2c7c9207e
SHA256b1b6fb38505ccfb15e02e6645e575b78cef72a68febda1962de8bd9c7fed333d
SHA5120e097af1e6c254fcc7977a91ad4467a6d00d912200160f0730446eb5c9dc696d24d19423c88ecd4852f2d23c8d0f7932e9f02ff842d02282f0cf4e3d4747d5b3
-
Filesize
161KB
MD530e89c91bf446bb1be725db2da3a51ef
SHA11311d784356df931281cd612f50cf3739de3ec17
SHA256dc9a7e5b843aab901fd4420c49108a61fb17584c1f8e78aca94e1cfb0ba242cb
SHA512cc6f7a34dfaef81b80c104be63ada7d5be06f3a0aa4da052a5475ddd6f8acf5b469a5c4408883595174f4d6c351e2d75d4d8b41688c0c283fbaef4df12bfb54a