Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 03:57
Behavioral task
behavioral1
Sample
fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe
-
Size
784KB
-
MD5
fe588a7e6d14e92a0460304f0dce8395
-
SHA1
bfa9341fdd3ae347fa6047c3df9af373432a9adc
-
SHA256
18e51835dd3f65d13399fd89346eae2b39087a199bce60ff03616666d4f5a8e3
-
SHA512
5c89b273e1c5dcd11e5801dc98733c23c83a68856bc851f830384374f1d70c328cd44559b4a3f040390324d2c0e95315520090c1791eaa22333fa076cf42102d
-
SSDEEP
12288:sl5SWnM2jHff0XUAxtGPPuy8PCPyhq1KGxPKmqvBXnk+NuEIY4xmVpXYQlMrhvg:snSWR/mUArGp8aywMMcvBXSAVpBlAUR
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/2036-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2036-15-0x0000000003160000-0x0000000003472000-memory.dmp xmrig behavioral1/memory/2036-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2528-18-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2528-24-0x0000000003120000-0x00000000032B3000-memory.dmp xmrig behavioral1/memory/2528-25-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2528-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/2528-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2036-36-0x0000000003160000-0x0000000003472000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2528 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2528 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2036-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/memory/2528-17-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000a00000001227d-16.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe 2528 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2528 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2528 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2528 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2528 2036 fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fe588a7e6d14e92a0460304f0dce8395_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD587c264f28c678de64ee875fc5caa4b23
SHA1a1f6cc4a6e390e33e96f70703c5fb5028bcf8997
SHA256b463910872a939c6332cf049daa833468e5ce8ffc3aaa66a22719da3990ef301
SHA512d9e65b534786cf8fecf98865ed5347d3362750ad66fad92d3e4c26a071c208b6f84576f2e5f096b8539f36259ee50482f1022cc65df3a8f27e553cd54e1f2106