Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 03:02
Behavioral task
behavioral1
Sample
600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
-
Size
556KB
-
MD5
600b82e86ebd5721f4e5e434646418ea
-
SHA1
07f0d32fb7576ec92d16e3140dcebed68adf87f1
-
SHA256
6446734456c209df3cf8a4f10279a8d33d6ae60d11bc03636891e7c63febfa78
-
SHA512
cc55040fda4ecca23bc342cea09c453f99f29ac7297d7790fdc34d9dc2038d5a1aadbcf5c5e64b864bb402c6850b5862d8b3de73f291533589a33cb50434f0bf
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyJ:znPfQp9L3olqFJ
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2984 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2272 qyvuf.exe 3024 obnun.exe -
Loads dropped DLL 2 IoCs
pid Process 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 2272 qyvuf.exe -
resource yara_rule behavioral1/memory/2124-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/files/0x0012000000016d3f-4.dat upx behavioral1/memory/2272-10-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2124-18-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2272-21-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2272-29-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qyvuf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obnun.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe 3024 obnun.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2272 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2272 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2272 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2272 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2984 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2984 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2984 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2984 2124 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 31 PID 2272 wrote to memory of 3024 2272 qyvuf.exe 33 PID 2272 wrote to memory of 3024 2272 qyvuf.exe 33 PID 2272 wrote to memory of 3024 2272 qyvuf.exe 33 PID 2272 wrote to memory of 3024 2272 qyvuf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\qyvuf.exe"C:\Users\Admin\AppData\Local\Temp\qyvuf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\obnun.exe"C:\Users\Admin\AppData\Local\Temp\obnun.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5bca236b12ef4f6a80c846200c6a1045c
SHA1d450c387b4bae9f9423dc87a9103f20eaa02e95a
SHA2561dd58590f30a33051417aaedfca447aa552750af982e363f4736edf3e6a1d89b
SHA512df4d19c78aa2420731557ea2e316f9dd012d6d959a679869ec72d0dcbf50ce3bba6e940f130ce184535eb1ad99a3a1eabb63b9df2dd6bf6335357b2ded54bc60
-
Filesize
512B
MD5b57adacacf747dba062a05e72938d629
SHA135c1c58ab7f0df83bee29dad5e23d0fa33e52835
SHA2568bcd57e870444d85176284e8261160b7f0b324455857da7897519a2444eba48a
SHA512a70a4968aec7325fcfd7c08a596c9f61460d82beb608043c15e4f572a869d4dd9c2b4cdb8aa44a07af1390ba3444b1a3fadff5edef6e3637179ac6c1e5c1d94c
-
Filesize
194KB
MD5f452bdfc0301eecf316bdece423bc641
SHA1afc2d483500f147d3ee0c7fda76db1ad2dbcd475
SHA2560a827c0a03d0cb97e86645cca1315d233b79b4deaed9dbdf7d951bd6d5231a48
SHA512d7d6390adcd6a7647304b3d7e78ceac6b0fbd22d019251501b558986197797b629e0d144d312fead33efa3eb45a5f46cfa44e160abae9a4d2a2d933d2396a88c
-
Filesize
556KB
MD562b2e458d34f167e359378830642788a
SHA16e56b2ce7095fa8db91d1837553d518433b95ba5
SHA25628e22e47cc5d92ea7c4b9adc7176bf401c3dae787cee42afbb6224700b4cbc5d
SHA5126d7a1131e8ea4340d5b629db7b454a00262da6ef43576b12709d0df03d222fb9798f9c2025566f53648b1d9ea9ba32564df1ac23a990a7fd572993b1290c3f93