Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe
-
Size
20KB
-
MD5
409d1a6ef6366d783a25eb3f1810178f
-
SHA1
63c41f0f94fe69875ea318caf1dd54c83f852514
-
SHA256
7bb2e5f8bcf6ee91fc65dcdd9617827fcf6ea9b31708b260f6c4fd3593c98f73
-
SHA512
c3db7abe0a42ca10aeeb84c6aebe63f87c678282b27939af62e2402db5ce95bfa67886c1a875cec8ab4671f6cbac3510f2143b1edca6df15521d74289dea65e6
-
SSDEEP
384:wvCCFpKHC+4k6mS6+/KgLS+Q/7EqWvXg:wvCjHCfxmSBJSr/Qq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2116 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1732 csrcs.exe -
Loads dropped DLL 2 IoCs
pid Process 2116 svchost.exe 2116 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrcs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrcs.exe" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1704 set thread context of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1732 set thread context of 2256 1732 csrcs.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2116 1704 409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe 30 PID 2116 wrote to memory of 1732 2116 svchost.exe 31 PID 2116 wrote to memory of 1732 2116 svchost.exe 31 PID 2116 wrote to memory of 1732 2116 svchost.exe 31 PID 2116 wrote to memory of 1732 2116 svchost.exe 31 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32 PID 1732 wrote to memory of 2256 1732 csrcs.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\409d1a6ef6366d783a25eb3f1810178f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\csrcs.exe"C:\Users\Admin\AppData\Local\Temp\csrcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5409d1a6ef6366d783a25eb3f1810178f
SHA163c41f0f94fe69875ea318caf1dd54c83f852514
SHA2567bb2e5f8bcf6ee91fc65dcdd9617827fcf6ea9b31708b260f6c4fd3593c98f73
SHA512c3db7abe0a42ca10aeeb84c6aebe63f87c678282b27939af62e2402db5ce95bfa67886c1a875cec8ab4671f6cbac3510f2143b1edca6df15521d74289dea65e6