Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe
-
Size
28KB
-
MD5
e7478542dd8cf781c8d3670d2fe9018d
-
SHA1
9fdd9950e455b76ba8ccbe88d84456a82beeea74
-
SHA256
bbbd59eb3d9b037b08de4dc5443161edb56c68a5ad6440271c9a2602a65fda19
-
SHA512
fd0c56ba3765afcae18e61ee55c6cd33f3771d835c2fd7f3709b0fa38bbf1e610e8ee48cb0db34b08bb4edb73a98db3a0e5b3e2aec979c6ec63dcc7cf4fca427
-
SSDEEP
384:NI6VddPhzsPZiXEcykSdPIhNeAIERfkblKfD30Sqai:xF6gEcqwjtIERfkBKrjB
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCMonitor = "C:\\Windows\\csrrs.exe" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\csrrs.exe e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe File opened for modification C:\Windows\csrrs.exe e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2024 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4488 wrote to memory of 2448 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 98 PID 4488 wrote to memory of 2448 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 98 PID 4488 wrote to memory of 2448 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 98 PID 4488 wrote to memory of 1088 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 99 PID 4488 wrote to memory of 1088 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 99 PID 4488 wrote to memory of 1088 4488 e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe 99 PID 1088 wrote to memory of 2024 1088 cmd.exe 102 PID 1088 wrote to memory of 2024 1088 cmd.exe 102 PID 1088 wrote to memory of 2024 1088 cmd.exe 102 PID 2448 wrote to memory of 1540 2448 cmd.exe 103 PID 2448 wrote to memory of 1540 2448 cmd.exe 103 PID 2448 wrote to memory of 1540 2448 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7478542dd8cf781c8d3670d2fe9018d_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\csrrs.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v PCMonitor /t REG_SZ /d C:\Windows\csrrs.exe /f3⤵
- Adds Run key to start application
PID:1540
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:2024
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
28KB
MD5e7478542dd8cf781c8d3670d2fe9018d
SHA19fdd9950e455b76ba8ccbe88d84456a82beeea74
SHA256bbbd59eb3d9b037b08de4dc5443161edb56c68a5ad6440271c9a2602a65fda19
SHA512fd0c56ba3765afcae18e61ee55c6cd33f3771d835c2fd7f3709b0fa38bbf1e610e8ee48cb0db34b08bb4edb73a98db3a0e5b3e2aec979c6ec63dcc7cf4fca427