Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe
-
Size
237KB
-
MD5
e58fe6d04e8d9fce1020f532d3f0bd49
-
SHA1
504dfc0032b65aaf1cd3185da709ce8c9b0daa24
-
SHA256
e60ee107dd301de376b081552a287deb122a6e3b504acb2d9bf925e4b1f2dcf7
-
SHA512
d7665bf5c8843524b11f52f365576d8c55370a144805e6da6dbb17d1074d5d31b8544833509336f9ca07272622a61ce6205b4082a12fe387723c405d267df3cb
-
SSDEEP
6144:F6cPpODxCdS7eOUQ41x2IZrEurubYTvCV+CmdP8nyMI:FVcCIIZIuBTvCVaus
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LYTC\Parameters\ServiceDLL = "%SystemRoot%\\system32\\tccj.dll" e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 3764 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\tccj.dll e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tccj.dll e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2116 4900 WerFault.exe 84 2744 3764 WerFault.exe 93 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4056 4900 e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe 94 PID 4900 wrote to memory of 4056 4900 e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe 94 PID 4900 wrote to memory of 4056 4900 e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58fe6d04e8d9fce1020f532d3f0bd49_JaffaCakes118.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 4322⤵
- Program crash
PID:2116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c DelMe.bat2⤵PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 49001⤵PID:388
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵PID:712
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
PID:3764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 6722⤵
- Program crash
PID:2744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3764 -ip 37641⤵PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5316eb5dd14b7214f9bfae9604d554ae8
SHA1ae4bdaf209f7e4c4ff8204940803bebb0fb621ad
SHA2562082536f6dbb095d76e39546d52d24ea0a4cd1eedec24c071fe537db793e9f80
SHA5123ea38b9f9e803348c82c933e1a734f7e3bbb2ab132065032e86d5ce524d65b519642595b94567b7223cc87aa0547594bf1a28eade1e96e7887ec01c675c5c0d6
-
Filesize
29KB
MD57aec29935cd17c94ddec5daf65850a4a
SHA1199716bed3b3685eed134836364b143af53afe97
SHA256ba8c0e103051dd5dfa6f7ff6fdfae80d28a390d8008c177fd96f5ad6d6a30843
SHA512ad5f24bdd5f779a4a3aff9229509eb3f6f405e367d1e1d6012377dec2d2cfd1e279b38a8d39a3ff5d09b3898197eaf257bae5ae1647af7f3ffba3c6f0529c95b