Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe
-
Size
23KB
-
MD5
e6195002fecd1cd970e80ab5b2318974
-
SHA1
c40a15e0f8b2e521f0ae481b3339d2893970a178
-
SHA256
bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
-
SHA512
445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d
-
SSDEEP
384:TtkAsyopTxyeDSsKR8wFB0M0Ro551Fa+wmG9C41fKV5uakl5kNzIyeqgbueo:aAsJRDSsKRfB0M0Ro55fomGw6fKeaWk9
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2136 netsh.exe 2464 netsh.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Driver\ImagePath = "\\??\\C:\\Windows\\system32\\kernelw.sys" kernelwind32.exe -
Executes dropped EXE 1 IoCs
pid Process 5332 kernelwind32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe" kernelwind32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dllh8jkd1q8.exe kernelwind32.exe File opened for modification C:\Windows\SysWOW64\kernelw.sys e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File created C:\Windows\SysWOW64\kernelwind32.exe e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kernelwind32.exe e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kernelw.sys kernelwind32.exe File created C:\Windows\SysWOW64\kernelwind32.exe kernelwind32.exe File created C:\Windows\SysWOW64\dllh8jkd1q8.exe kernelwind32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 5332 kernelwind32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLoadDriverPrivilege 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe Token: SeLoadDriverPrivilege 5332 kernelwind32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2136 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 86 PID 2844 wrote to memory of 2136 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 86 PID 2844 wrote to memory of 2136 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 86 PID 2844 wrote to memory of 5332 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 94 PID 2844 wrote to memory of 5332 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 94 PID 2844 wrote to memory of 5332 2844 e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe 94 PID 5332 wrote to memory of 2464 5332 kernelwind32.exe 95 PID 5332 wrote to memory of 2464 5332 kernelwind32.exe 95 PID 5332 wrote to memory of 2464 5332 kernelwind32.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe"1⤵
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\e6195002fecd1cd970e80ab5b2318974_JaffaCakes118.exe' enable2⤵
- Modifies Windows Firewall
PID:2136
-
-
C:\Windows\SysWOW64\kernelwind32.exeC:\Windows\system32\kernelwind32.exe2⤵
- Sets service image path in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram 'C:\Windows\SysWOW64\kernelwind32.exe' enable3⤵
- Modifies Windows Firewall
PID:2464
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362B
MD596dacbc0d6125a5baf02d286ea2d8277
SHA1726416cce8f3b661070f9b3f30ea212e4621503e
SHA256393921ae383f661a60cdb247d8600242daf919f0dfb4b1061f0ab5c7a922f443
SHA5128cb5e28296ad8bcc47de26780b60fc51f81006dd04775aa0332ccecff64f7434b2ef33e17ad81ca96b16c44118bbfa19fb4325aca4eeeaa93f1d767050d2c4e3
-
Filesize
7KB
MD5cc43010c40ec6907f2d0526c55495c16
SHA104f9b28b79824e20c77db44189db718b683971cf
SHA2563b3fd4601090089980c93ff7607e9d3e863ce51155c56e0093871493f7a0f875
SHA512b21ec29fc85f124a47ce46fb15f47643a4dc2ff521548746ca6a0d39030353c95b2cda4afe7372a85568ba464f162bf3c8060ec469e63f41775731994a6cb8f3
-
Filesize
23KB
MD5e6195002fecd1cd970e80ab5b2318974
SHA1c40a15e0f8b2e521f0ae481b3339d2893970a178
SHA256bbe0a9199a171bdb993b8882ab6625a34304a2fa8889ff37b7e6b281d699cbe5
SHA512445ca53a48fb6b04ca9f333a9aa9cdd311ee3e6b82a7c60ba168bd2e7525a0066a0dc04462064ebd339b6ba2db3ac3f7fde26cafe6f4484c5d4abafa412d742d