Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
-
Size
330KB
-
MD5
422511d31784711ac906260eb82466aa
-
SHA1
7e532e67c04c5d1abd64f7d56a55c61e301dac55
-
SHA256
0aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8
-
SHA512
01ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e
-
SSDEEP
6144:VBEN8cPuxcV4xohBKas3Rb9ixTuQp4vmk/hXtvg+yi9FLQjb2Z:VBExPu642shbUxlp+jRtvWi9NmaZ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3008 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1272 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Hacker.com.cn.exe 422511d31784711ac906260eb82466aa_JaffaCakes118.exe File created C:\Windows\uninstal.bat 422511d31784711ac906260eb82466aa_JaffaCakes118.exe File created C:\Windows\Hacker.com.cn.exe 422511d31784711ac906260eb82466aa_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422511d31784711ac906260eb82466aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe Token: SeDebugPrivilege 1272 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1272 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2900 1272 Hacker.com.cn.exe 31 PID 1272 wrote to memory of 2900 1272 Hacker.com.cn.exe 31 PID 1272 wrote to memory of 2900 1272 Hacker.com.cn.exe 31 PID 1272 wrote to memory of 2900 1272 Hacker.com.cn.exe 31 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32 PID 2528 wrote to memory of 3008 2528 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD5422511d31784711ac906260eb82466aa
SHA17e532e67c04c5d1abd64f7d56a55c61e301dac55
SHA2560aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8
SHA51201ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e
-
Filesize
218B
MD5a3f4f78a20fd78f95fa16e29e3051a33
SHA10a88f61e47cb23569e757a6ea71c4a2b673a8a8b
SHA2562a13dc6cc63d6fc4504f03689d80c765d69ef6fa64f6d4fea9946974729b10cc
SHA5129a8e5a4c266c08c81e7e15afcfbf05e313a65528624630fe786c315dedf3906e2d9db616299fe706f3e0e3c6ac604d770caffa919169696138091aea8deb4989