Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe
-
Size
849KB
-
MD5
3dbd7a6a1a7e81e05780a246e47eadd0
-
SHA1
91ca38ca395afe35a77ba1cc9440bc457ca77ecf
-
SHA256
047f448b63e7b8176e03c4000380764ea62fc5b336b3279941570f5ca3aa57d7
-
SHA512
bbb0ff0692ab814817ade5940eddbe3c04b36a5382a2911a8cf79ee4ebc86aff0d268202af0271fd588f380f39dbc95160c6ec3badb0a98398c0697e04b077be
-
SSDEEP
24576:3sSsEBgk1Xeug/gwHPvPp4ijQk4JjY8LYqL:3fBnBeugl3aqZ4JjYyL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2012 server.exe 2988 wlsetup-web.exe -
Loads dropped DLL 3 IoCs
pid Process 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlsetup-web.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 server.exe 2012 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2988 wlsetup-web.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2012 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 30 PID 1768 wrote to memory of 2012 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 30 PID 1768 wrote to memory of 2012 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 30 PID 1768 wrote to memory of 2012 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 30 PID 2012 wrote to memory of 1268 2012 server.exe 21 PID 2012 wrote to memory of 1268 2012 server.exe 21 PID 2012 wrote to memory of 1268 2012 server.exe 21 PID 2012 wrote to memory of 1268 2012 server.exe 21 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31 PID 1768 wrote to memory of 2988 1768 3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dbd7a6a1a7e81e05780a246e47eadd0_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\wlsetup-web.exe"C:\Users\Admin\AppData\Local\Temp\wlsetup-web.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51ed3217d714facbe53dac2bd62b34f85
SHA10b7fe43a62006d5f6366cc3393b9eae7bac03244
SHA25671fd3a200f51949e7c4cc89380e988016976bcb5b1b231143b7a97233bfaa639
SHA51284863394ccb6a923063ce8ddf3a93966e01e8db4967438bf9372bdabe9586580dad062e723f6cc2165e78598580aa4cf971c1801e3958eaa6ace282394aad391
-
Filesize
56KB
MD5a05114c4b2d92488d4a324bf8fe6a7a8
SHA165795216be0a07b81183ab54091ea7caffcbabe4
SHA2568dc16086e4518c8d4ac50d8e4c4a51fbd8bc74a6867db2904d5ab90a0faeca3d
SHA51244ca23fe13a4425189546f504efc0dc6f1a7e63c36e5e49d96647f4071d4e45a3363571a9231bacfb2a4c6cdd1799c0ceddfcdd06eb8fbd42724b41f5c2fffe6