Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 22:22
Behavioral task
behavioral1
Sample
763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe
-
Size
208KB
-
MD5
763d06f09c646c995c9ded35754f35e1
-
SHA1
5b3ee41d3d354468f34bbc0b74931c642aa64321
-
SHA256
64d12b6ed1fc65eaaf9410903955668bfa6fd6ae699dcabc6e9cad74ffb42c1d
-
SHA512
296dfb3805758fdc5dbc1d33f14c2a65ae7e0a4f3ced1e388dcd630c72af570c10ac0b8b77147049a603577acfa7560446fa43fef17be750f8f85e825f524aa8
-
SSDEEP
6144:v5hPwKr+MAPdJREOmr9H0j0AXY2vajGm:fPwKr+9dTYUj/CjG
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.lnk 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1100 msftdm.exe 2412 msftdm32.exe -
Loads dropped DLL 10 IoCs
pid Process 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 1100 msftdm.exe 2412 msftdm32.exe 1100 msftdm.exe 2412 msftdm32.exe 1100 msftdm.exe 2412 msftdm32.exe 1100 msftdm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2476-1-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral1/memory/2476-89-0x0000000000400000-0x0000000000489000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msftdm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1100 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 30 PID 2476 wrote to memory of 1100 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 30 PID 2476 wrote to memory of 1100 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 30 PID 2476 wrote to memory of 1100 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 30 PID 2476 wrote to memory of 2412 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2412 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2412 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 31 PID 2476 wrote to memory of 2412 2476 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe"C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1100
-
-
C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe"C:\Users\Admin\AppData\Roaming\IDENTI~1\VCLVCL~1\msftdm32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669B
MD585c353915f5aa8894943ba9724a56946
SHA1a2ac3dd29c9dcdaf7ef748ac42f6e00a699a8aaf
SHA2562a8932976e5b6fbe3cde6d4db4c5ee335702412fc907c3fb4d83f1ddf753bd30
SHA51296d14e46949d1b9bf2b4cb49809b96b99d598bc3c75fe0b159ee544a2b835a49cda9e756b034159767572bf9ab22c3cd78e2e354d2ab578fe1523a8dbaffe955
-
Filesize
53KB
MD5ccab25c4f6a2411e649f41a654fb732a
SHA1f0fa67afbfeba2fcfba4cbf378456e9563ed5e5b
SHA2567d21310e49648c311d150f233b3f8b577a39705228c12b6c01cc5e770bdbeb76
SHA512353d0196e47c963f62420df99c75a40bcf4db374386bf676edbc990d8c5cb16b74318aefacd9085e9fd860dded035350085f7efea3772b326a6a9867dfba641c
-
Filesize
2KB
MD51ba9eb7cdab7a589ebbe6d720ae3c187
SHA155555de0a07d43a23c4fff84bd4613b9b3c3c104
SHA2562dee3d4a62c04eb8dd0e30dc4ef3eb51dc80e72422d383b44a363ae939d64eea
SHA512374a9d844365b1b1d855f83616c9e2d3cc3b9edaef5428af8022845a2679b38483e9249c686fe5f508a60124cc6fad2fbbf23eab60bd2e492b8366799ad60e74
-
Filesize
45KB
MD56a08aa55a1b999b583bdedd896cf6f7e
SHA11c66b481049cd30967e837b0d1b5a04421ad97a0
SHA256a6b19efc6fc9aa7e8cf722f20fd4e1a40780af255310617c34f9e2dba6efde6b
SHA512c161885bb5c301c986b3d45112cd74b69ea1bb424ff97a5798717e4e506b2d08ca5b993c20e79cb74cb00f2c5d76198b25424b7d15fade3dccaeb30096a383de
-
Filesize
29KB
MD5ee693e9883f032df2849150b5279a21b
SHA17f5675e4c9383134fd495aa870d8a4567ae2ce6e
SHA256fee1bd9f37e1925045425e48d97f215b1786b9bf2b11006ddedffc68c753fea4
SHA51211378bf51357bbafbe3479974c4809a051f7cdb7877c00f7de523959160eb4235530037e9624e34434ab6d4e8f982768bea56dc3749c83ffd7fc7c6d2a9e6ab4
-
Filesize
24B
MD5e21f42c8e892bcb102b45fd92ae946f2
SHA1018c9f80a4f603c12e0f7014fa8c77116434ba09
SHA2561df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9
SHA512130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1
-
Filesize
15KB
MD5aaa500a9062eef90ef54a10b47dd38c0
SHA15aeb7d00518f9598ace234b9c0ce0ef859adccac
SHA256089ed7d7301d5cf8c424d14f766e8a3eec38825eb757b498cc10a752c80d0092
SHA51266884cfbbe637097bd5cdb52c678c78456e41664ac0bc491acb67fbdd48f09cfe5c8c124d5e5232cb80178b018d6199bf9be163f0eab9580ad6a9858d9f42a19
-
Filesize
18KB
MD547a1410f93552cb860134f63e7f08bbd
SHA105d13a592f4649af3a5f3a9f13cb686a5f29506a
SHA2560dcd59b53093f87990eb9385f272a5d75fdc5b9517d62f5ca303c4ff8484ae6d
SHA5122b18f2890e7690d0fe67c3d6f5962f5081bdc4ffa02e01e07050f061ed551dc54a2aceb52a4200c9f70bdc286c2f2d80c0b071e772952015bb4ee8d0cc6e2f18
-
Filesize
58KB
MD5c617801ca4bb75ea00da0cc9af86a20b
SHA1bdc45e976f7f553ebab954549a63def00d65b302
SHA256c3be7740c2f338688bf7040aa1390e275e1c087b0c3dda843d02eab528572da8
SHA5125c4f0c3331201728f05185b556d144128f7e84be72fb24e6553e33ac9e0a987575f2d263d710796f8076c363904ea5ed197891ce07d1efb9cef0cc125f1cfb1f
-
Filesize
728B
MD5ad0edd8b47944c1178636c94542eacee
SHA18dd5d8e6cce39944939f40d0c15f78db943d1f2f
SHA256940d8fd23163cbdcdc0eef26c8d333e8e784bd506d50a7deeabda95b0a1d1752
SHA51211e9e6d05fe812e9316e0d00fda75de8bed4fbbee3765f13b653a547f8cea4b92d872f31a944e4fb8661d8b64083af4e94acb7beaa383a685cb90f2d85f07e3c
-
Filesize
105KB
MD5520004f34edca4a74fc5c3e9d6de36e1
SHA1f799710dcf35d30245f2d4ffc621fc8058f045b4
SHA25657de9ecfcfed78b7e52e41c7314d8dfc61976adb51c83478b16405c3d79b9557
SHA512f3071ef6391222c6689c966051d4d108c2eb56a598d77313b0b1d912d87e3f67709896f735e6928ebc823214c48e551c1fea3aef8e8bb5361785e6f32b11c43f
-
Filesize
88KB
MD5431281eb6636a49003c134ad75038139
SHA107a74b28bdc347e6936031a5d6f0ddff97c3cc50
SHA256cbc61c7335c477fa72e5aba70de44ea0df37625372724332c377196af1c083dd
SHA5121dedf42c0de7eb8cb9f5c6d425358ced05e37dded947c20a9996b32f6cec6753b08cec73413fc134ba7d282dbc60afb3136b20c96bcbf26a14b7717d591e2bc6
-
Filesize
37KB
MD52506cecf663b4a961c65a9d7e9ef795a
SHA16262efdd2eba424474f6c2aac20913b3e588aaab
SHA256baa21cee7ec40eb612ab70ef6d801cbb1645f9da9c827bf0d59d2e65d5646b52
SHA512f97c35653d03ceb134ff34a912f7a8ca71e67e35a623ebe8f7470d4fd13e0df54ae5c617e23f15354de43f3a2ac762f57a42fb882f1204b0633b2d5fb91cb570
-
Filesize
31KB
MD5c1883400de568d13ac385424dfdac922
SHA189346038c164a66d441369d7a6e757af8db44089
SHA25642dd97b432e39b5d8580d1a336f7c392c51ee5a9207f31b28a406dd97d4b7eaf
SHA5125ed7d7fdc26c4790ab06163c488998288c05ae7a27807b7dd79771d8570f9e9653b2a6d5c8c12e12636f8228b09c6ed9af671a327c04a2a8c4daee22267fb6af