Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/12/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
-
Size
383KB
-
MD5
4c1c1353d9ba6ccbb2c14f31b77c7a78
-
SHA1
6bdfd8cdebd9455c4e8dec17d992764865b52c56
-
SHA256
c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
-
SHA512
fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177
-
SSDEEP
6144:++E1M63eDwShxpZWqipaOkBI2KbQBL3XjpuzbgwuO0RikwVfT:1Ei63eDwQX7ipaJB1GcL3tunnwR
Malware Config
Extracted
amadey
3.08
d00855
http://179.43.154.147
-
install_dir
9d5cca72fb
-
install_file
ftewk.exe
-
strings_key
9defde16baecb416084964a9b667f06e
-
url_paths
/d2VxjasuwS/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 2392 ftewk.exe 1300 ftewk.exe 2060 ftewk.exe -
Loads dropped DLL 2 IoCs
pid Process 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2340 schtasks.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2392 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 30 PID 2128 wrote to memory of 2392 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 30 PID 2128 wrote to memory of 2392 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 30 PID 2128 wrote to memory of 2392 2128 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 30 PID 2392 wrote to memory of 2156 2392 ftewk.exe 31 PID 2392 wrote to memory of 2156 2392 ftewk.exe 31 PID 2392 wrote to memory of 2156 2392 ftewk.exe 31 PID 2392 wrote to memory of 2156 2392 ftewk.exe 31 PID 2392 wrote to memory of 2340 2392 ftewk.exe 33 PID 2392 wrote to memory of 2340 2392 ftewk.exe 33 PID 2392 wrote to memory of 2340 2392 ftewk.exe 33 PID 2392 wrote to memory of 2340 2392 ftewk.exe 33 PID 2156 wrote to memory of 2856 2156 cmd.exe 35 PID 2156 wrote to memory of 2856 2156 cmd.exe 35 PID 2156 wrote to memory of 2856 2156 cmd.exe 35 PID 2156 wrote to memory of 2856 2156 cmd.exe 35 PID 1200 wrote to memory of 1300 1200 taskeng.exe 39 PID 1200 wrote to memory of 1300 1200 taskeng.exe 39 PID 1200 wrote to memory of 1300 1200 taskeng.exe 39 PID 1200 wrote to memory of 1300 1200 taskeng.exe 39 PID 1200 wrote to memory of 2060 1200 taskeng.exe 40 PID 1200 wrote to memory of 2060 1200 taskeng.exe 40 PID 1200 wrote to memory of 2060 1200 taskeng.exe 40 PID 1200 wrote to memory of 2060 1200 taskeng.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2340
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {25AA08AB-15FB-437B-8EDE-586A3F0E7C92} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5d1248ae09d49ba2f88f2401d0c47a01f
SHA144bf3a5a0a3284450b2d2465403677d39615d34a
SHA2561b81d78e3d140863fcbb459d5f1994f5b9f8f161f9e72ad9f4cd97fa80b3f84a
SHA5124bd894ef6bc52cc1d95e64bfa0d00aa4616ad2c5f9a8e50b5a3f6253d664c602a07231053b4094f9fbac2a3c85b8fe73bb472861f63dee9aa220fa4d21b0b9f1
-
Filesize
383KB
MD54c1c1353d9ba6ccbb2c14f31b77c7a78
SHA16bdfd8cdebd9455c4e8dec17d992764865b52c56
SHA256c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
SHA512fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177