Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 00:04
Behavioral task
behavioral1
Sample
e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe
-
Size
12KB
-
MD5
e39b7454e8ad23a60bd64e79a97b6229
-
SHA1
ecbfe1e129211aa5be50bb8861d0daff24e38f88
-
SHA256
74a42ffbfcfe93903cae0dc8cdf2267171b8fd2efe82d14962cb2b7586126d7e
-
SHA512
f279a23ca67165af46bbb611db93150cde62e2020700367e4ac1789f3d870b9dfb176e358db95f1f4fa7e850ccc40b22ddca7df7e14aa5a0a9e4fc5629036329
-
SSDEEP
192:c8K6Y7Wk4cVC0acpVnXYHoJywJFa1qOvxWHddBXkdLSQt+lKM+:C6Y4c6UVnXYIJtUpWp0dLFt+n+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 392 zesttnsk.exe -
resource yara_rule behavioral2/memory/4864-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x000e000000023131-4.dat upx behavioral2/memory/4864-8-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/392-10-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\zesttnsk.exe e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe File created C:\Windows\SysWOW64\zesttns.dll e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe File created C:\Windows\SysWOW64\zesttnsk.exe e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4864 wrote to memory of 392 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 93 PID 4864 wrote to memory of 392 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 93 PID 4864 wrote to memory of 392 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 93 PID 4864 wrote to memory of 3016 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 94 PID 4864 wrote to memory of 3016 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 94 PID 4864 wrote to memory of 3016 4864 e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\zesttnsk.exeC:\Windows\system32\zesttnsk.exe ˜‰2⤵
- Executes dropped EXE
PID:392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e39b7454e8ad23a60bd64e79a97b6229_JaffaCakes118.exe.bat2⤵PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD53ce37db588076badc1f567e5122401ef
SHA1b97592cad2b384ccc5d2e17b09d9e88e33e8d629
SHA256a62f6bc75ffd35418db1a0e68f60c4bd1fbe505b1ec322327325f6df5f4ea9aa
SHA51251f5c2e000e6bf8d7248500d914dfeb921e8049b8458ae53cd003c82027776aa72cc0b3d2277bae0169687cab8b80ad3b35a9cacb0021a61043a49ac1eb26619
-
Filesize
12KB
MD5e39b7454e8ad23a60bd64e79a97b6229
SHA1ecbfe1e129211aa5be50bb8861d0daff24e38f88
SHA25674a42ffbfcfe93903cae0dc8cdf2267171b8fd2efe82d14962cb2b7586126d7e
SHA512f279a23ca67165af46bbb611db93150cde62e2020700367e4ac1789f3d870b9dfb176e358db95f1f4fa7e850ccc40b22ddca7df7e14aa5a0a9e4fc5629036329