Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
44353f3060310099234f9dcf7d058084_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
44353f3060310099234f9dcf7d058084_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
44353f3060310099234f9dcf7d058084_JaffaCakes118.exe
-
Size
32KB
-
MD5
44353f3060310099234f9dcf7d058084
-
SHA1
cb64519a9bdd4b608b74109f35abb91da056ce1d
-
SHA256
e38b85b979f5f5db7544146e4886a39f73672b0915d22cd8a4b0be08f0c7a665
-
SHA512
e4120fa0f6e1e14d884c40ca8da9408aea562e4508c3d0fcbe50e849accfef426c605f12c11270c5cfcd256a1ee4287de81e1d8baa96b646de13f47cfffebad6
-
SSDEEP
768:tA+eZ9hQ7WcdcXa2jFkbb4vSCTxRGAa3e/GmyfPIJ5:tA+sgzdcXa2j2YZxE3E
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys WinHelp32.exe -
Deletes itself 1 IoCs
pid Process 2388 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 WinHelp32.exe -
Loads dropped DLL 2 IoCs
pid Process 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp32.exe 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WinHelp32.exe 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe File created C:\Windows\SysWOW64\WinHelp32.exe WinHelp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2276 WinHelp32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2276 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2276 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2276 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2276 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2388 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 29 PID 1044 wrote to memory of 2388 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 29 PID 1044 wrote to memory of 2388 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 29 PID 1044 wrote to memory of 2388 1044 44353f3060310099234f9dcf7d058084_JaffaCakes118.exe 29 PID 2276 wrote to memory of 1668 2276 WinHelp32.exe 30 PID 2276 wrote to memory of 1668 2276 WinHelp32.exe 30 PID 2276 wrote to memory of 1668 2276 WinHelp32.exe 30 PID 2276 wrote to memory of 1668 2276 WinHelp32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\44353f3060310099234f9dcf7d058084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44353f3060310099234f9dcf7d058084_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\WinHelp32.exe"C:\Windows\system32\WinHelp32.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHEL~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\44353F~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD544353f3060310099234f9dcf7d058084
SHA1cb64519a9bdd4b608b74109f35abb91da056ce1d
SHA256e38b85b979f5f5db7544146e4886a39f73672b0915d22cd8a4b0be08f0c7a665
SHA512e4120fa0f6e1e14d884c40ca8da9408aea562e4508c3d0fcbe50e849accfef426c605f12c11270c5cfcd256a1ee4287de81e1d8baa96b646de13f47cfffebad6
-
Filesize
4KB
MD57434b98a847fdcb753d8db6341680db7
SHA1859816f07486ae2ffdffd56f1ff77677bfd14f2b
SHA2565947ff34e874e7e455cc441b017b11b63fc4fb315b311766fb83070ea7012259
SHA5128d8de33e245eadabfb2d111aee51dbb0b64238cc82bc1cdd55a440f0f985466d2090a50c6363960bef09b41dd4bdf5888a2a99d37940211b092112ec5030ab53