Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 10:30
Behavioral task
behavioral1
Sample
e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe
-
Size
88KB
-
MD5
e254e285f1729936cf9e30e1c098271c
-
SHA1
653cf3782b7b9129a98c6fbad8cf885fe0bde227
-
SHA256
79fe90ff4ac1f24d4f0305d1f31adcb2cb276d1b6a6260e547a8e7ec81c104e5
-
SHA512
1f3c5de3148a3b6b9dbc9fa49fd2591670bc08a18563c59c1cf8361eef65bd5293267d6bd58a6b1b52819f1938af52c74a103eeaa1055117729dae9ad25fcc03
-
SSDEEP
1536:scNjQlsWjcdiTuXbELbGn82i+beo/47Og:vjr5ELbGnzi+ao/Cf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2628 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/724-0-0x0000000000B00000-0x0000000000B19000-memory.dmp upx behavioral2/files/0x00080000000231fa-6.dat upx behavioral2/memory/724-7-0x0000000000B00000-0x0000000000B19000-memory.dmp upx behavioral2/memory/2628-9-0x0000000000550000-0x0000000000569000-memory.dmp upx behavioral2/files/0x000600000002275d-12.dat upx behavioral2/files/0x00090000000231f7-29.dat upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe File created C:\Windows\CTS.exe CTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 724 e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe Token: SeDebugPrivilege 2628 CTS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 724 wrote to memory of 2628 724 e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe 85 PID 724 wrote to memory of 2628 724 e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe 85 PID 724 wrote to memory of 2628 724 e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e254e285f1729936cf9e30e1c098271c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD53dc15cafe67496a5bf7b9d1b3340b051
SHA1242753618529d89037ea6bd7fbd96f6eb37b1e13
SHA25669f6f44f5ff2377d2be5814c0d19e0885b051f06b24ee48c60c5534096f96926
SHA512757f64b151ade44eda5a41de190707411b2109a088397a5874e8564b3eab01d9037805798e5baf3e99922d2212f9bc7302c2c5832a1a5a9cfe42dcc84e3141ba
-
Filesize
88KB
MD52fea75cc31557ee2e4f21dc654e4af18
SHA1be36241c2b56eaefb3b3ee45ebf2d5821038d95c
SHA256e08b0b8937b45ce050f78174b01d550a65701d1c94126b672b5ab0b660014094
SHA51273a5cebdeba8a58949994228d08709d1277059f8ca3cc1a7b2cd6b9cb4fcaf50b240a5b7ad8c4ad33ce54ab8916c948f60aee81a4b1bd074d40e880e948d9689
-
Filesize
82KB
MD5796f4df6e89c638054b20b09ba1f28e5
SHA180e5f4e74a798f180f27f9b3dccb3c7461511d7d
SHA2563293c5e8c2a49b5c7e2ba41c33e49d894137e25b672f19df5100bb9042bda402
SHA512687860ab619a797cf2d459b0b3324bfca2f5c2b5eb92b2114b423326e1d56e872022000b4402687382c66c3ccf7d061a7f4fd0cf9cafcd5417fb6e096d7e1887