Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:19
Behavioral task
behavioral1
Sample
e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe
-
Size
17KB
-
MD5
e6185d4b4ff10b58f876babe5db6bfe6
-
SHA1
ad39f69563dac75355d8cf42f733d85da7c48aee
-
SHA256
e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab
-
SHA512
b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181
-
SSDEEP
384:6ViwqetokTFm7iXy5kQxWLVwmERYEM0UFn/DXhlq:6j5Tc7i3Qx6mmERUjF/
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2220 lenyunsk.exe -
resource yara_rule behavioral2/memory/1568-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/files/0x00090000000231f3-4.dat upx behavioral2/memory/1568-6-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/2220-7-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\lenyunsk.exe e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lenyunsk.exe e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe File created C:\Windows\SysWOW64\lenyuns.dll e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2220 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 85 PID 1568 wrote to memory of 2220 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 85 PID 1568 wrote to memory of 2220 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 85 PID 1568 wrote to memory of 4016 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 94 PID 1568 wrote to memory of 4016 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 94 PID 1568 wrote to memory of 4016 1568 e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\lenyunsk.exeC:\Windows\system32\lenyunsk.exe ˜‰2⤵
- Executes dropped EXE
PID:2220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e6185d4b4ff10b58f876babe5db6bfe6_JaffaCakes118.exe.bat2⤵PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD56933dc7d4e6e364ae8bc4650876f6499
SHA16e0728e32a39fdf72847536b63042a43c698c6d9
SHA256edf96aa2228fad182390c65d802910fd2e9c4280bc131bfe1a7865b5f65a37b0
SHA51233ba49e8ca8344cc3aabfcf5613839f693ca583348c724adce030e983800f1f12d2e535733cc1839a43e08690a8dfa45f557e10b1c189ad40452c00f97a9ab77
-
Filesize
17KB
MD5e6185d4b4ff10b58f876babe5db6bfe6
SHA1ad39f69563dac75355d8cf42f733d85da7c48aee
SHA256e2169a586ecb0a42d5b26ed7de8e3714f64652a26c89ccb883c7128224785dab
SHA512b965ef57212a48c514c229c5da784bd96734d1ece121c31fd8b7365ba7eae208e6cd0b38bff9c87bdd723606949c07f4e662a8f1210231f7d923bab585c93181