Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 12:01
Static task
static1
Behavioral task
behavioral1
Sample
3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe
-
Size
96KB
-
MD5
3fbd45230627ba599adcee2d684c09e3
-
SHA1
94969d72f70cc9641f1abc5fa2161a09b81fa2e8
-
SHA256
f57000fd53b52e79728ce7512c2830ce78a9a7c2524577fd2a6e40de16f3fe7d
-
SHA512
604db1e8b8263475a6978c7e55158736ce8bfa419220bc6943bc4c1fa1216ba8203e35de862d636bc1531a310eae928c39104de1e8521d38a0f9de217ce8cb77
-
SSDEEP
1536:VomALFDs+Kg2ORhfPe5lEA2CgnufjuUwfisAqBMh89CFMV2yaVUGz/:umAe8/IlEA2Cgg1GisLBp9CEMUe/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2428 taskhost.exe 2052 taskhost.exe -
Loads dropped DLL 3 IoCs
pid Process 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 2428 taskhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe" 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 764 set thread context of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 2428 set thread context of 2052 2428 taskhost.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 764 wrote to memory of 2128 764 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2428 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2428 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2428 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 31 PID 2128 wrote to memory of 2428 2128 3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe 31 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32 PID 2428 wrote to memory of 2052 2428 taskhost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3fbd45230627ba599adcee2d684c09e3_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Roaming\taskhost.exeC:\Users\Admin\AppData\Roaming\taskhost.exe4⤵
- Executes dropped EXE
PID:2052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD583077c7f97275a5b65e32ada794ad6a3
SHA1f966bb58162220f4ea444f2fa2143c552e04bfed
SHA256a960f9e6b66a4f723087a00572a22ed80b276844e1b2510b1e9361b616558753
SHA5123d219518daf49aa4129853eaa06d7faf1de486dc287bc2a8bd5c0e5cc7aa3627d8fdeae451dc822f03ac90ff2bf887c7f468f9e67d0c3f91513c29d33055788c