Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/10/2024, 21:50
Behavioral task
behavioral1
Sample
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win11-20241007-en
General
-
Target
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
-
Size
28KB
-
MD5
73eb50d731889829becf58029a86eb45
-
SHA1
1c1b06f1b8a53fc3ccf365299251d32893a363d1
-
SHA256
a2d4cc146cb1b62a7d4128b0e277c7411921cf9f77cc7577599a00697f3492b1
-
SHA512
5e4348e1eef229728b4545d90a688ac48b55c55916501bb0c240f5c216e3eb6e65a75a051bc1400778684892d5cb609f3fd49c85d4cee13351a677db3b0ceda5
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyND52:Dv8IRRdsxq1DjJcqf3
Malware Config
Signatures
-
Detects MyDoom family 8 IoCs
resource yara_rule behavioral1/memory/2956-13-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-39-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-44-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-138-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-163-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-172-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-200-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral1/memory/2956-239-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 2456 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
resource yara_rule behavioral1/memory/2956-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/files/0x001c00000002aa9c-4.dat upx behavioral1/memory/2456-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-39-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-44-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x001c00000002aaf3-55.dat upx behavioral1/memory/2956-138-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-139-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-163-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-164-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2456-168-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-172-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-173-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-200-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-201-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2956-239-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral1/memory/2456-240-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\java.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe File created C:\Windows\java.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe File created C:\Windows\services.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2456 2956 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 77 PID 2956 wrote to memory of 2456 2956 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 77 PID 2956 wrote to memory of 2456 2956 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UndoConfirm.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:1568
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\8bec10b2b6a741eaab67d27c93a84f25 /t 1472 /p 15681⤵PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD5c15952329e9cd008b41f979b6c76b9a2
SHA153c58cc742b5a0273df8d01ba2779a979c1ff967
SHA2565d065a88f9a1fb565c2d70e87148d469dd9dcbbefea4ccc8c181745eda748ab7
SHA5126aecdd949abcd2cb54e2fe3e1171ee47c247aa3980a0847b9934f506ef9b2d3180831adf6554c68b0621f9f9f3cd88767ef9487bc6e51cecd6a8857099a7b296
-
Filesize
315B
MD514b82aec966e8e370a28053db081f4e9
SHA1a0f30ebbdb4c69947d3bd41fa63ec4929dddd649
SHA256202eada95ef503b303a05caf5a666f538236c7e697f5301fd178d994fa6e24cf
SHA512ec04f1d86137dc4d75a47ba47bb2f2c912115372fa000cf986d13a04121aae9974011aa716c7da3893114e0d5d0e2fb680a6c2fd40a1f93f0e0bfd6fd625dfa7
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
28KB
MD58180865618aa06781f5ed6ff06c0f649
SHA12943c5d93f9ba7f0d8e8e3b2dd6a93c896a183ba
SHA25615fb5abc3879cbad69a92a1daadd3338b1d2795014d134fd119adad81b22c7b0
SHA512a23d3e87967aeb3fb63d8a2737dba40ef6266c4d5e90c7d437338b62616c41547a432120c879b36f018dd95f2524b3412252df208a73e85566f5961d6f95705c
-
Filesize
1KB
MD5ff5c5f06246977305c93d4d257fe77e4
SHA1a12378a2257f76c57e5ce772ec8a0844a329dbf4
SHA256db7e29ae8d73ebb121038b16e2fc9a126dffcc72e74c3661585dc3f9fa78fea5
SHA51287a34a6ce0c2e479b91f6b0a6a833d0aeb00f96d1142f69bc414e7c118c1ade5381f9a26572783532b5a8f01c0f725f8b53b3bdc59b39a79ef732d7a0aa9931d
-
Filesize
1KB
MD5875c5d2fb8bf7a4414b975c49a53a913
SHA18b6f55213c4724f6c59ff6b4a8415ab7076c4fb7
SHA256e5ada524bccfa91dd06f5513b3bc835ca6f0be5bc190d6ee6551a188937b6061
SHA5125ff6ccda6b776ded49bbe65d4bfc773a120531330b367f53ae555f671f157f602b8a36fbbfca3ff98f5fe6305de3b17958173d58e70c68cf6da33f459bbe32e5
-
Filesize
1KB
MD52b6eacb14cfcdf8e8dcfda258dee8d26
SHA1ac210774a723ead3041eb712fc71dfa4935648be
SHA256249075696527417f7a60b6003dab1c7d904538c27f3b87d8f62df5a3f9df2e9b
SHA5129b2bf2d583db3d92430aaff2dedd2211bfb6fd8b798cd5487fae8fcf30addc808caaf65c085d965876c0037c34a64db8d34ed6a08e07a9993895dd458adc1c49
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2