Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
-
Size
396KB
-
MD5
3d11e305c3f94306192feff8aa587b4d
-
SHA1
b732d4389d153701226ce382ecdc62fd2d2890e5
-
SHA256
e0c611206e7afa94caf267cb42cb7c772e1a1955a43506128ed143b93772fd22
-
SHA512
2343f429209b3e272d32a035f907a73e51b6930949614d4629cd669431bb8bde15791b06fc79af4def2e64ada7f33f461aaf6aef1b8e26fab2171f21cdd09a39
-
SSDEEP
6144:WBiIchoPgj9eXVcOcOb0yL8yvImI7UVbVTRg23gyTiLBS+lWlE9YlxwT:giIciKeZcOAyLbvImTVbVTuktiR9WwT
Malware Config
Signatures
-
Executes dropped EXE 20 IoCs
pid Process 236 crss.exe 2460 crss.exe 2344 crss.exe 2780 crss.exe 2196 crss.exe 2708 crss.exe 2672 crss.exe 2924 crss.exe 2428 crss.exe 1052 crss.exe 644 crss.exe 576 crss.exe 2200 crss.exe 2792 crss.exe 1788 crss.exe 1700 crss.exe 1932 crss.exe 2528 crss.exe 324 crss.exe 1360 crss.exe -
Loads dropped DLL 21 IoCs
pid Process 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 236 crss.exe 2460 crss.exe 2460 crss.exe 2780 crss.exe 2780 crss.exe 2708 crss.exe 2708 crss.exe 2924 crss.exe 2924 crss.exe 1052 crss.exe 1052 crss.exe 576 crss.exe 576 crss.exe 2792 crss.exe 2792 crss.exe 1700 crss.exe 1700 crss.exe 2528 crss.exe 2528 crss.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1680 set thread context of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 236 set thread context of 2460 236 crss.exe 32 PID 2344 set thread context of 2780 2344 crss.exe 35 PID 2196 set thread context of 2708 2196 crss.exe 37 PID 2672 set thread context of 2924 2672 crss.exe 39 PID 2428 set thread context of 1052 2428 crss.exe 41 PID 644 set thread context of 576 644 crss.exe 43 PID 2200 set thread context of 2792 2200 crss.exe 45 PID 1788 set thread context of 1700 1788 crss.exe 47 PID 1932 set thread context of 2528 1932 crss.exe 49 PID 324 set thread context of 1360 324 crss.exe 51 -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2580 1680 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 30 PID 2580 wrote to memory of 236 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 31 PID 2580 wrote to memory of 236 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 31 PID 2580 wrote to memory of 236 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 31 PID 2580 wrote to memory of 236 2580 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 31 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 236 wrote to memory of 2460 236 crss.exe 32 PID 2460 wrote to memory of 2344 2460 crss.exe 34 PID 2460 wrote to memory of 2344 2460 crss.exe 34 PID 2460 wrote to memory of 2344 2460 crss.exe 34 PID 2460 wrote to memory of 2344 2460 crss.exe 34 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2344 wrote to memory of 2780 2344 crss.exe 35 PID 2780 wrote to memory of 2196 2780 crss.exe 36 PID 2780 wrote to memory of 2196 2780 crss.exe 36 PID 2780 wrote to memory of 2196 2780 crss.exe 36 PID 2780 wrote to memory of 2196 2780 crss.exe 36 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2196 wrote to memory of 2708 2196 crss.exe 37 PID 2708 wrote to memory of 2672 2708 crss.exe 38 PID 2708 wrote to memory of 2672 2708 crss.exe 38 PID 2708 wrote to memory of 2672 2708 crss.exe 38 PID 2708 wrote to memory of 2672 2708 crss.exe 38 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2672 wrote to memory of 2924 2672 crss.exe 39 PID 2924 wrote to memory of 2428 2924 crss.exe 40 PID 2924 wrote to memory of 2428 2924 crss.exe 40 PID 2924 wrote to memory of 2428 2924 crss.exe 40 PID 2924 wrote to memory of 2428 2924 crss.exe 40 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 2428 wrote to memory of 1052 2428 crss.exe 41 PID 1052 wrote to memory of 644 1052 crss.exe 42 PID 1052 wrote to memory of 644 1052 crss.exe 42 PID 1052 wrote to memory of 644 1052 crss.exe 42 PID 1052 wrote to memory of 644 1052 crss.exe 42 PID 644 wrote to memory of 576 644 crss.exe 43 PID 644 wrote to memory of 576 644 crss.exe 43 PID 644 wrote to memory of 576 644 crss.exe 43 PID 644 wrote to memory of 576 644 crss.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 484 "C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 528 "C:\Windows\SysWOW64\crss.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 524 "C:\Windows\SysWOW64\crss.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 524 "C:\Windows\SysWOW64\crss.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 524 "C:\Windows\SysWOW64\crss.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 528 "C:\Windows\SysWOW64\crss.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 524 "C:\Windows\SysWOW64\crss.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 528 "C:\Windows\SysWOW64\crss.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 528 "C:\Windows\SysWOW64\crss.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 524 "C:\Windows\SysWOW64\crss.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD53d11e305c3f94306192feff8aa587b4d
SHA1b732d4389d153701226ce382ecdc62fd2d2890e5
SHA256e0c611206e7afa94caf267cb42cb7c772e1a1955a43506128ed143b93772fd22
SHA5122343f429209b3e272d32a035f907a73e51b6930949614d4629cd669431bb8bde15791b06fc79af4def2e64ada7f33f461aaf6aef1b8e26fab2171f21cdd09a39