Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 17:40
Behavioral task
behavioral1
Sample
4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe
-
Size
137KB
-
MD5
4133fe3eec5cd55b6f4de6fa8ed17b90
-
SHA1
0c2e5541efb6f715ceab690ed694a867a6e41f3b
-
SHA256
e1bd23dbdcfc912012f110977a911e5c64a2b5c82ba393ff36c8ba454c3b85fb
-
SHA512
9b7bff0b0d067713137cc355aa40163b1586612d47c9102fdd744ae69bab76e305611b091e13f81f6eefab75b6707fa616c6cfacdc9073d4be0e7592f51db631
-
SSDEEP
3072:/trUTOOAwmgu0mMBCWajxnE1bASCBLoz+qcfhUmoPT/:/trkhAn0msCjGASAqR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2792 Yfazya.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\3D26895M1Z = "C:\\Windows\\Yfazya.exe" Yfazya.exe -
resource yara_rule behavioral1/memory/2536-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000195ab-11.dat upx behavioral1/memory/2792-13-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe File created C:\Windows\Yfazya.exe 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe File opened for modification C:\Windows\Yfazya.exe 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Yfazya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main Yfazya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe 2792 Yfazya.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2536 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe 2792 Yfazya.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2792 2536 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2792 2536 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2792 2536 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe 30 PID 2536 wrote to memory of 2792 2536 4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4133fe3eec5cd55b6f4de6fa8ed17b90_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Yfazya.exeC:\Windows\Yfazya.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372B
MD53f9edf8bb2f6aab18d5015d4e5dfd002
SHA1908d388145b680c275bbd3a4c58516b458d4d491
SHA256b13b508fa362c375460e6020677e48859875db647f5a5ad39f5cb4a310919ead
SHA5124c0df0486f9a7032087f5a935e774985d3ee89c801d87efabc724477ede9eb972150fb6b5834eae3cde6ede787c0f94a635b0c315e0cee0a0b3d6eb44e99e22b
-
Filesize
137KB
MD54133fe3eec5cd55b6f4de6fa8ed17b90
SHA10c2e5541efb6f715ceab690ed694a867a6e41f3b
SHA256e1bd23dbdcfc912012f110977a911e5c64a2b5c82ba393ff36c8ba454c3b85fb
SHA5129b7bff0b0d067713137cc355aa40163b1586612d47c9102fdd744ae69bab76e305611b091e13f81f6eefab75b6707fa616c6cfacdc9073d4be0e7592f51db631