Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 03:34
Static task
static1
Behavioral task
behavioral1
Sample
3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
3d9229dfafc8a8f7106a787f80b7a167
-
SHA1
7dbcc1b287347b9f8c99cdc867b2cde1a4cf52fa
-
SHA256
443a165f4ef1e448c158f116928d761f3711a4ec9058cd68f5f30c98773b52f7
-
SHA512
756da65b063e9d5a80bc61722856262032d8feae1b2f96f13dd2d381a8630358fb2b2ef6090e25f7308180b16c54f0070437884646e2dc477df39334bab410ad
-
SSDEEP
49152:Qoa1taC070dqaM6ibf66WfmCBngue1lCUFtOh:Qoa1taC0ZaMhbZ2mCBngX6UFte
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3004 C938.tmp -
Executes dropped EXE 1 IoCs
pid Process 3004 C938.tmp -
Loads dropped DLL 1 IoCs
pid Process 2120 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C938.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2120 wrote to memory of 3004 2120 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe 30 PID 2120 wrote to memory of 3004 2120 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe 30 PID 2120 wrote to memory of 3004 2120 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe 30 PID 2120 wrote to memory of 3004 2120 3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\C938.tmp"C:\Users\Admin\AppData\Local\Temp\C938.tmp" --splashC:\Users\Admin\AppData\Local\Temp\3d9229dfafc8a8f7106a787f80b7a167_JaffaCakes118.exe 7B938FD9B03C829A0BA64637BFFCB58798C8E1CA94E8D8DBFEE775469AEFA1E6FBD9630AF91F23031864ECBD0296671D2FA10C8CF4CCD1280A9FC11082FD4BDD2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5055faa80e3a93465f8e19311623af99d
SHA1db6170b71fad352816291384b2027495d492dc31
SHA256fdf3d4640df8e1e50e04d9528cc2e7ed2eecd9fa181033affafbf86cc2ce8172
SHA512dcf4bbbd79a529355326fcb3f1d54c834a255d016b221943a7451d61319c757456e0dde24446f86bb946559cbd910abc8fcc2b7d4ceab8757ee13e90010a44a3