Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe
-
Size
463KB
-
MD5
022cdd46e12a85a8d03339eba5b19997
-
SHA1
efdd42cddb3acf19f5304e9072cfb5fc7da6d32e
-
SHA256
c8d543bd6e7932a1ec3dc31da1743ff78878eff55a741d276ef8f3f5bae73575
-
SHA512
23b9f6c3bff1333939861fa231f5b40652bc15e40f0c04ac6cf89326ce65c579e02842c5f9fdb6117d237c240d446e9e0e93559002c0176ad12ac4a307a5fe69
-
SSDEEP
6144:47kWcDpi78KSrafqV5areuyFwBqgmGNGXN/O8OCLF1Lkl1QMyBVk/7bgRmg+LAKG:47lc87eqqV5e+wBV6O+K/Cm1Lxgp
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3612 ARPfmon.exe 2944 back_isv.exe 2408 ~4B41.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Easetvol = "C:\\Users\\Admin\\AppData\\Roaming\\dxdiedit\\ARPfmon.exe" 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\back_isv.exe 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 ARPfmon.exe 3612 ARPfmon.exe 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE 3388 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3612 ARPfmon.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3388 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1932 wrote to memory of 3612 1932 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 89 PID 1932 wrote to memory of 3612 1932 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 89 PID 1932 wrote to memory of 3612 1932 022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe 89 PID 3612 wrote to memory of 2408 3612 ARPfmon.exe 91 PID 3612 wrote to memory of 2408 3612 ARPfmon.exe 91 PID 2408 wrote to memory of 3388 2408 ~4B41.tmp 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\022cdd46e12a85a8d03339eba5b19997_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\dxdiedit\ARPfmon.exe"C:\Users\Admin\AppData\Roaming\dxdiedit"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\~4B41.tmp3388 474632 3612 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408
-
-
-
-
C:\Windows\SysWOW64\back_isv.exeC:\Windows\SysWOW64\back_isv.exe -s1⤵
- Executes dropped EXE
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
463KB
MD517f4bcd6c7076d89dd0579616456e63d
SHA163dcabd37ecaa191fc2c0d4fc1d9dff757c08f91
SHA256c0119720567d95c4aacbeace1d36265ba25557a3f5430736d9edc7423e15ed5c
SHA51264e5b30e617ea78a89dbff86a158db9f1507b4f8f6ece7b0f2505bb9ecb603552963ab3cbd60f70fc7404ac9199e62785a2515c7f603f5039ba38b18be06853b