Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 03:02 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
3824959f2dc29e6a05b1b02c264050c3
-
SHA1
3be1a62c78811dac2bc26fac4dbcb2f5f0549e7f
-
SHA256
e5118ab605d40f09c2a883cb8abdaaeb70c594cd374aad433272595a9b66feae
-
SHA512
704286ffff089a7aa1f006b571fc5f099189cd81fe01c50e4b3650f5282c38b387fe436a11dc379e146078f6cb840b41609e4b7ff4d8335020ee15a92679dbbb
-
SSDEEP
49152:yiAzrL69yAIcIXcbEeGROT4G+6Yi1r13O+mOs:yiAzrL69yAIcIXcbENROT4Gzj1rx+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2944 is-6935T.tmp -
Loads dropped DLL 3 IoCs
pid Process 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 2944 is-6935T.tmp 2944 is-6935T.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-6935T.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2944 is-6935T.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30 PID 1096 wrote to memory of 2944 1096 3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\is-VQTFB.tmp\is-6935T.tmp"C:\Users\Admin\AppData\Local\Temp\is-VQTFB.tmp\is-6935T.tmp" /SL4 $500F4 "C:\Users\Admin\AppData\Local\Temp\3824959f2dc29e6a05b1b02c264050c3_JaffaCakes118.exe" 1368317 522242⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
634KB
MD5d291acbf9866b8846fe0629e690feb1a
SHA1293314b11340d798d3c74e2416e2a43f267a25d6
SHA256ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb
SHA512320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed