Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2024, 13:17
Behavioral task
behavioral1
Sample
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
73eb50d731889829becf58029a86eb45_JaffaCakes118.exe
-
Size
28KB
-
MD5
73eb50d731889829becf58029a86eb45
-
SHA1
1c1b06f1b8a53fc3ccf365299251d32893a363d1
-
SHA256
a2d4cc146cb1b62a7d4128b0e277c7411921cf9f77cc7577599a00697f3492b1
-
SHA512
5e4348e1eef229728b4545d90a688ac48b55c55916501bb0c240f5c216e3eb6e65a75a051bc1400778684892d5cb609f3fd49c85d4cee13351a677db3b0ceda5
-
SSDEEP
384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyND52:Dv8IRRdsxq1DjJcqf3
Malware Config
Signatures
-
Detected microsoft outlook phishing page
-
Detects MyDoom family 8 IoCs
resource yara_rule behavioral2/memory/1928-13-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-39-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-93-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-249-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-251-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-261-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-294-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom behavioral2/memory/1928-298-0x0000000000500000-0x0000000000510000-memory.dmp family_mydoom -
Executes dropped EXE 1 IoCs
pid Process 2892 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1928-0-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/files/0x000d000000023b64-4.dat upx behavioral2/memory/2892-5-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-13-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-15-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-16-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-28-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-33-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-38-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-39-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x000f00000001e5c5-53.dat upx behavioral2/memory/1928-93-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-94-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-249-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-250-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-251-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-252-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2892-257-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-261-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-262-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-294-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-295-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1928-298-0x0000000000500000-0x0000000000510000-memory.dmp upx behavioral2/memory/2892-299-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe File created C:\Windows\java.exe 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2892 1928 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 84 PID 1928 wrote to memory of 2892 1928 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 84 PID 1928 wrote to memory of 2892 1928 73eb50d731889829becf58029a86eb45_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73eb50d731889829becf58029a86eb45_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5b2e3f5057b267d64ecf580fe22070b7a
SHA161c504bf979b7110964504083d56f9c5ef9267ac
SHA2562b421b1f42f3c17b3f1d5126fe4a8753cf429e27762243275437ba07f8a21cee
SHA51242438691648b414b9f5b62c16bc74265b91b57bc9e5362121eec9fa63aa593b483f45363be4261dd1c40f6e12614deb8c3e32409899493a8c4b7630486bed674
-
Filesize
153KB
MD57076e65b5d0f42a242ed6d5b74b7bf16
SHA119d617c0ec757416fb169972eb56d4bbfdf3ecfd
SHA2562662cd44b60f5e3f88d53a21e0f1b68fbeb074147d2f4b901ba44b7ff6b21218
SHA5125c29c1e6dbb1cb4ebbbb0c5151f331a996839486808b2c300e856e55b1d3a166357775219180eaf94e3867e88ab0b17761dc9721f074340e9dae26cc2d3f5847
-
Filesize
1KB
MD5ee432ecb0070528a072296c960488976
SHA14148880a3030c47760dced202eea51b0a01cfa95
SHA25607fc6d5f3abef9d3810c933d53383b7e010cf6b0cf66cbd3db0e6786b7a1ac9c
SHA51292c20317deea55b34ae5ca28cba78f93a91215d247a0bac40b02a601a4e789d7f72304608b966c2ac753c93b68c3ce7f75780769c8a10cf6fb47afae2e6e9aa2
-
Filesize
25B
MD58ba61a16b71609a08bfa35bc213fce49
SHA18374dddcc6b2ede14b0ea00a5870a11b57ced33f
SHA2566aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1
SHA5125855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1
-
Filesize
28KB
MD564e7fe2ca7ae2de78d9820e5787a7c06
SHA160cb0afd1623412623475d24451c91fb2b5bc1af
SHA2568af2798395e9c6725a1178ce94db4abf38ea9cd113722932a564fb87541ed6c4
SHA5128c44b3f3898c98aa9b7484183099032b43f847334eb03763ae689ab51c7278299fc363edc891490a3f9f0d4e43205e38f70180a9856e41b146b700f272724096
-
Filesize
1KB
MD5969bcd50f97776b3abcc3d886b5a9e93
SHA126a9985d8174e3b8b764279645cd7ffb85794653
SHA256c85eb63153d480846363fcebec9b2f46c39a2881aed1f7ce10a38afe8d7d53a6
SHA512b27adadbabfd19ec165341ec1218ed2333b71bcadc4df97a2c5f7594800b6824f7438f1a3ea64e99c9aac034a4771f62623af513a668be8f1437226eba34bb1f
-
Filesize
1KB
MD555e03bb0dbe6a89ceffe27b271db5072
SHA16d3a67ee412f8dfba5e0a57a4777de8b33cf6853
SHA2562cefba54d04720278ce942a0db47407b1d97c089e1b4f8dd4f3af578b705216c
SHA512d9596fed7f23eec8741ed7eeb6f83f9272ada3ea8f8b925b66119605dd88fb952ba3c202854fd5d39886fd4b74e8994306461e3510688e48ed96a6d3dc871d24
-
Filesize
1KB
MD57baa884ae2c0789760819a0257a69571
SHA1012b359466fd7b0d8903e355c73ff52102bcc806
SHA256a54be85e41e1bcd461c65d86e1ee1f34d83c18eaf6dcf07e6b7d76252f2ffdcf
SHA51279067b579a160ea07ec116d016e1770a9f944447ff22ab24fb3b2c15eeb2a010186f9ff0a73c96a587d55a30a24d8fdb678429e975f71895e8e757324dc14741
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2