Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/10/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe
-
Size
223KB
-
MD5
5cdcec900819b181a01ea4c007995969
-
SHA1
d71954224a3c986ac4a7f116d4067d98257cfbb5
-
SHA256
7fd75617ee39e8ed51f7e118f0aa46b83916dbf0d1d769e088c3fca7a4c0014f
-
SHA512
e741d7658397cb8f8c581bd3d2c3807b93f9e987ff10668e5d7cea6dee149553392ee32be3983cc4adc9340cfe9ff3915a91faec9ad4a74574c0299d6c4761ad
-
SSDEEP
3072:1g10r0K/C7MAov2zdV2JE/0unArFJHJlrAlfidgVkmv058mZT6+upQkdO7:1q0rpsMA+krMBBJHJZdnrb6+uQ
Malware Config
Extracted
xloader
2.3
ieqo
new-post-25782.xyz
podcastrrr.com
babyspageelong.com
boaddeo.club
distribuzionemedica.com
peaceofminderbinder.com
abbyrosemusic.com
odessawildliferemoval.com
prosperasight.com
liibbyapp.com
shandaferguson.com
kirsehiryenihaber.com
secured07b-chase.com
leanonmelifeadvice.com
securemtgs.com
temgk255.space
lunasparallevar.com
transportesdario.com
redwork.club
directopolis.com
sorevcbns.com
bibliothecadigital.com
theagileconfessional.com
lebottindesentreprises.com
dvd-org.com
1ajycapital.com
nailquan2.com
javacoffeebeans.com
sizish.com
susannhaehnel.net
gouaya.com
marvelstrikeclub.com
catwalkangels.com
runlywood-nambda.icu
hongfengjmzz.com
reviveyourride-detailing.com
x93snefkb9.com
irsettlement.com
injurylawyersnm.com
zhcc.ltd
homerivercommercial.com
drkitange.com
atauysal.com
sleekedup.net
ez-insurance-quotes.com
lumber-pt.com
citi-star.taxi
chimaratransport.com
absbropaul.com
jewelsbybri.com
racevc.com
buyer-centric.com
viableprocedure.com
paarlstudio.com
thinbluelinepatriots.com
crowtzequipped.com
missioncareasia.com
tesrvstorage.com
xn--zfrz5x6lhwxt66f.tech
mansmoon.com
werkstrand.cloud
amoscontent.com
exainc.net
cigartent.com
rukreditpay.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral1/memory/2316-3-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1720 set thread context of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 -
Program crash 2 IoCs
pid pid_target Process procid_target 2340 1720 WerFault.exe 30 1896 2316 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2316 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 31 PID 1720 wrote to memory of 2340 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2340 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2340 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 33 PID 1720 wrote to memory of 2340 1720 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 33 PID 2316 wrote to memory of 1896 2316 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 32 PID 2316 wrote to memory of 1896 2316 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 32 PID 2316 wrote to memory of 1896 2316 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 32 PID 2316 wrote to memory of 1896 2316 5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5cdcec900819b181a01ea4c007995969_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 363⤵
- Program crash
PID:1896
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1642⤵
- Program crash
PID:2340
-