Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/10/2024, 14:28
Behavioral task
behavioral1
Sample
6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe
-
Size
28KB
-
MD5
6f64a36e04850929786e5c23375f4fb6
-
SHA1
926e54269dc99d556ab9f5d6a383cea24fb91635
-
SHA256
82c644e7daafe7b35055c37e7f0f14195866134c5942e8be89000de628cf475c
-
SHA512
398f55e6af62063792731faaf4cb6acc06f19d8c558253507d548fddebf3198735fe09e9a7234b1d5843aaff09b7aa3e1d41ad0a7dfbdf9c319f89662dce3e1f
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNiAshvG5s:Dv8IRRdsxq1DjJcqf05s
Malware Config
Signatures
-
Detects MyDoom family 6 IoCs
resource yara_rule behavioral1/memory/1680-17-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1680-49-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1680-67-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1680-74-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1680-81-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/1680-86-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 2404 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/1680-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/1680-4-0x00000000001B0000-0x00000000001B8000-memory.dmp upx behavioral1/files/0x0008000000015d41-7.dat upx behavioral1/memory/2404-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1680-17-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-20-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-43-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1680-49-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-50-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0008000000015f71-60.dat upx behavioral1/memory/1680-67-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-68-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-70-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1680-74-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-75-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2404-80-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1680-81-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-82-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1680-86-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2404-87-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe File created C:\Windows\java.exe 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2404 1680 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2404 1680 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2404 1680 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe 30 PID 1680 wrote to memory of 2404 1680 6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f64a36e04850929786e5c23375f4fb6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e1ed196d3aeabb5272d51a6f78e9b00
SHA1ca58c85ed7d27f7079fcc2b389908ce8bd57574e
SHA256ce666e1fb159c1c5c342093364de70fdd5e7ec07c3a6ebb12b494e783867b803
SHA5127710d2c122fcf3fca3b4af6b9a2f693e439b2a137362f5833e671b2cf542e3591e3ffd0ea230e579a1b55191b184d3514d762d632c7934d21f0c3a6c9f1c429d
-
Filesize
28KB
MD50eba7d2836292b525dc5ff7e0c704db9
SHA1da37468948242ba7102f290aa821419e17e14b5e
SHA256604cb61983168df05bc2a556150c1c06d75258b6e1866ac34b9cbf704eede75b
SHA512f3878fe64639310916f2c242c56269bdc836859108ef2f89aa5d5ab68e5b0202d550aa40b1655df436588d203d5828237ae4808267a8f7612dd1cfba259b55ea
-
Filesize
1KB
MD5c829c12986583d82b399f9675513cf1a
SHA1629c6a894670e13f05864d45e334044139751d02
SHA2561b1ffe66f41b59bd7e1cece54ac8dbf4eeeda4e56f3957d497d15ea4cbcf9f16
SHA512ca0511be0b5af565a4fac724633f823cfac6abdde8c500a5fd179a016e6e720275d7b6c186bb810a8fd5008c2667c8372e47ddee52a34da9bd349628b63a39c3
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2