Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe
-
Size
24KB
-
MD5
d74029dd8757698561295c4c3c3f1318
-
SHA1
683172b2cc1a4728cc5e563f514d522b94cc4fcb
-
SHA256
2794ad4803afafc6eb7ef4d6a5eb79bc991de79d096fb6042a505eb69807defc
-
SHA512
160de2b838cf9c740b715063c96786b6c2933bce8601212a0edc2810b4df7f804ccb68be54dd5510757732cc9d319f5e5cb6033b62760ddcebc4d43bdb69dd65
-
SSDEEP
384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5t0:bGS+ZfbJiO8qYoAC
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3728 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 636 NETSTAT.EXE 3400 ipconfig.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3728 tasklist.exe Token: SeDebugPrivilege 636 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1440 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 1440 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1440 wrote to memory of 3172 1440 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 85 PID 1440 wrote to memory of 3172 1440 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 85 PID 1440 wrote to memory of 3172 1440 d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe 85 PID 3172 wrote to memory of 1280 3172 cmd.exe 87 PID 3172 wrote to memory of 1280 3172 cmd.exe 87 PID 3172 wrote to memory of 1280 3172 cmd.exe 87 PID 3172 wrote to memory of 3400 3172 cmd.exe 88 PID 3172 wrote to memory of 3400 3172 cmd.exe 88 PID 3172 wrote to memory of 3400 3172 cmd.exe 88 PID 3172 wrote to memory of 3728 3172 cmd.exe 89 PID 3172 wrote to memory of 3728 3172 cmd.exe 89 PID 3172 wrote to memory of 3728 3172 cmd.exe 89 PID 3172 wrote to memory of 2168 3172 cmd.exe 92 PID 3172 wrote to memory of 2168 3172 cmd.exe 92 PID 3172 wrote to memory of 2168 3172 cmd.exe 92 PID 2168 wrote to memory of 4000 2168 net.exe 94 PID 2168 wrote to memory of 4000 2168 net.exe 94 PID 2168 wrote to memory of 4000 2168 net.exe 94 PID 3172 wrote to memory of 636 3172 cmd.exe 95 PID 3172 wrote to memory of 636 3172 cmd.exe 95 PID 3172 wrote to memory of 636 3172 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74029dd8757698561295c4c3c3f1318_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:1280
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:3400
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:4000
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5be785916172f37a10e6ddb86df9dbbfd
SHA19c9c7b9cf7fa30f7bccf2f26d6caf5b69df5c2a4
SHA2562dc55ce1229be0ba52d5eb374e52785736a11e14cc31488d9fc833d857bbe99d
SHA5123268b3c4bb0de8c53bb3236bafc5c22fabb580d7918704ace42cf35af123d4eb55f5da05864d80b09e7f67c9301df817f62e5c42e3d2c13a8d540baaaa57dfe9