Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09/04/2024, 13:41
General
-
Target
ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe
-
Size
31KB
-
MD5
ea1dab772ea67edd7a56a3e641dbfa19
-
SHA1
d1ac24e8f188e11012474fcba8f1512bd7d62e7b
-
SHA256
71fb44f467aa3d6f40e2add320b39ab6d4077a693e6a79ee63584abcbf316844
-
SHA512
eadd29209cc4aeecad4f1aa935647dfab0b567d73f7ed8ae25f28a9d82507a17832d9f4cc84822304e1ec7b36775937f93c681ada11a5fa11f1a77c58004730d
-
SSDEEP
192:5+doBNQlUjGgMUhrniMRqS4t9GuIq0ZxpfFpbpc+:4dYQlviniMRqSG5qxpfnO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea1dab772ea67edd7a56a3e641dbfa19_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yhcdxnkl.exeC:\Windows\system32\yhcdxnkl.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tuwgldi.exeC:\Windows\system32\tuwgldi.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jnqme.exeC:\Windows\system32\jnqme.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qmkus.exeC:\Windows\system32\qmkus.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ygheaut.exeC:\Windows\system32\ygheaut.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\esismdh.exeC:\Windows\system32\esismdh.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\blapp.exeC:\Windows\system32\blapp.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yslwpcca.exeC:\Windows\system32\yslwpcca.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ediowj.exeC:\Windows\system32\ediowj.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ypspdyh.exeC:\Windows\system32\ypspdyh.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jxsxvk.exeC:\Windows\system32\jxsxvk.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vzigbiwy.exeC:\Windows\system32\vzigbiwy.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\kyqvllg.exeC:\Windows\system32\kyqvllg.exe14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\botvw.exeC:\Windows\system32\botvw.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xidcocu.exeC:\Windows\system32\xidcocu.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\egowuys.exeC:\Windows\system32\egowuys.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nxhpsgf.exeC:\Windows\system32\nxhpsgf.exe18⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\khfzvsal.exeC:\Windows\system32\khfzvsal.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jzect.exeC:\Windows\system32\jzect.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dpbwztj.exeC:\Windows\system32\dpbwztj.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tvdcwh.exeC:\Windows\system32\tvdcwh.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xjllwymu.exeC:\Windows\system32\xjllwymu.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\azobbd.exeC:\Windows\system32\azobbd.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\owntq.exeC:\Windows\system32\owntq.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\usnuh.exeC:\Windows\system32\usnuh.exe26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rhcxi.exeC:\Windows\system32\rhcxi.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\krykxqk.exeC:\Windows\system32\krykxqk.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\biijye.exeC:\Windows\system32\biijye.exe29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gmugv.exeC:\Windows\system32\gmugv.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\pjfgfhze.exeC:\Windows\system32\pjfgfhze.exe31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\fcfwvyey.exeC:\Windows\system32\fcfwvyey.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tamdvpv.exeC:\Windows\system32\tamdvpv.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\srvhgrql.exeC:\Windows\system32\srvhgrql.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\hskgc.exeC:\Windows\system32\hskgc.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\yycyfpfp.exeC:\Windows\system32\yycyfpfp.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vblir.exeC:\Windows\system32\vblir.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gkjfswqs.exeC:\Windows\system32\gkjfswqs.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\jhjcut.exeC:\Windows\system32\jhjcut.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\xaxwkgm.exeC:\Windows\system32\xaxwkgm.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\inkzbfv.exeC:\Windows\system32\inkzbfv.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gtmbif.exeC:\Windows\system32\gtmbif.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\qdbwpg.exeC:\Windows\system32\qdbwpg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\oxtqygwu.exeC:\Windows\system32\oxtqygwu.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\pvaimskj.exeC:\Windows\system32\pvaimskj.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\jcvgz.exeC:\Windows\system32\jcvgz.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\pkfjjns.exeC:\Windows\system32\pkfjjns.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\kyxmi.exeC:\Windows\system32\kyxmi.exe48⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\hlxdrnus.exeC:\Windows\system32\hlxdrnus.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wywqbuol.exeC:\Windows\system32\wywqbuol.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vfkkjflx.exeC:\Windows\system32\vfkkjflx.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\utauu.exeC:\Windows\system32\utauu.exe52⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wyurkdi.exeC:\Windows\system32\wyurkdi.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\fvxcbo.exeC:\Windows\system32\fvxcbo.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ydiwo.exeC:\Windows\system32\ydiwo.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\eudzrlyv.exeC:\Windows\system32\eudzrlyv.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\pppqdy.exeC:\Windows\system32\pppqdy.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\kjdfuh.exeC:\Windows\system32\kjdfuh.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\hylri.exeC:\Windows\system32\hylri.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\kbdstml.exeC:\Windows\system32\kbdstml.exe60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wsfyrwhf.exeC:\Windows\system32\wsfyrwhf.exe61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mswlwnzl.exeC:\Windows\system32\mswlwnzl.exe62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\lbemara.exeC:\Windows\system32\lbemara.exe63⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gcwqo.exeC:\Windows\system32\gcwqo.exe64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\jocrkli.exeC:\Windows\system32\jocrkli.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rswediji.exeC:\Windows\system32\rswediji.exe66⤵
-
C:\Windows\SysWOW64\awdeudx.exeC:\Windows\system32\awdeudx.exe67⤵
-
C:\Windows\SysWOW64\xbocwq.exeC:\Windows\system32\xbocwq.exe68⤵
-
C:\Windows\SysWOW64\wuuzpj.exeC:\Windows\system32\wuuzpj.exe69⤵
-
C:\Windows\SysWOW64\bahgftz.exeC:\Windows\system32\bahgftz.exe70⤵
-
C:\Windows\SysWOW64\taosxvs.exeC:\Windows\system32\taosxvs.exe71⤵
-
C:\Windows\SysWOW64\uzjgexum.exeC:\Windows\system32\uzjgexum.exe72⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\wosii.exeC:\Windows\system32\wosii.exe73⤵
-
C:\Windows\SysWOW64\hwzhsjyu.exeC:\Windows\system32\hwzhsjyu.exe74⤵
-
C:\Windows\SysWOW64\hbecg.exeC:\Windows\system32\hbecg.exe75⤵
-
C:\Windows\SysWOW64\hnwkcy.exeC:\Windows\system32\hnwkcy.exe76⤵
-
C:\Windows\SysWOW64\hrqcnrc.exeC:\Windows\system32\hrqcnrc.exe77⤵
-
C:\Windows\SysWOW64\ekmymfgk.exeC:\Windows\system32\ekmymfgk.exe78⤵
-
C:\Windows\SysWOW64\yffydng.exeC:\Windows\system32\yffydng.exe79⤵
-
C:\Windows\SysWOW64\ehyidwjd.exeC:\Windows\system32\ehyidwjd.exe80⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\owinqj.exeC:\Windows\system32\owinqj.exe81⤵
-
C:\Windows\SysWOW64\limllcd.exeC:\Windows\system32\limllcd.exe82⤵
-
C:\Windows\SysWOW64\enamk.exeC:\Windows\system32\enamk.exe83⤵
-
C:\Windows\SysWOW64\jtwlww.exeC:\Windows\system32\jtwlww.exe84⤵
-
C:\Windows\SysWOW64\frvmam.exeC:\Windows\system32\frvmam.exe85⤵
-
C:\Windows\SysWOW64\epjfale.exeC:\Windows\system32\epjfale.exe86⤵
-
C:\Windows\SysWOW64\xekqv.exeC:\Windows\system32\xekqv.exe87⤵
-
C:\Windows\SysWOW64\dwsxpd.exeC:\Windows\system32\dwsxpd.exe88⤵
-
C:\Windows\SysWOW64\mjigdqkk.exeC:\Windows\system32\mjigdqkk.exe89⤵
-
C:\Windows\SysWOW64\xpeldu.exeC:\Windows\system32\xpeldu.exe90⤵
-
C:\Windows\SysWOW64\bgeywau.exeC:\Windows\system32\bgeywau.exe91⤵
-
C:\Windows\SysWOW64\jsxdw.exeC:\Windows\system32\jsxdw.exe92⤵
-
C:\Windows\SysWOW64\flwwlu.exeC:\Windows\system32\flwwlu.exe93⤵
-
C:\Windows\SysWOW64\pxljro.exeC:\Windows\system32\pxljro.exe94⤵
-
C:\Windows\SysWOW64\qscosfsq.exeC:\Windows\system32\qscosfsq.exe95⤵
-
C:\Windows\SysWOW64\nxahxl.exeC:\Windows\system32\nxahxl.exe96⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\sdpcvdth.exeC:\Windows\system32\sdpcvdth.exe97⤵
-
C:\Windows\SysWOW64\dbfmtq.exeC:\Windows\system32\dbfmtq.exe98⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\ldrpgdb.exeC:\Windows\system32\ldrpgdb.exe99⤵
-
C:\Windows\SysWOW64\embdo.exeC:\Windows\system32\embdo.exe100⤵
-
C:\Windows\SysWOW64\ttnjmru.exeC:\Windows\system32\ttnjmru.exe101⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\vkulpfoh.exeC:\Windows\system32\vkulpfoh.exe102⤵
-
C:\Windows\SysWOW64\qdmfz.exeC:\Windows\system32\qdmfz.exe103⤵
-
C:\Windows\SysWOW64\ivksgjkb.exeC:\Windows\system32\ivksgjkb.exe104⤵
-
C:\Windows\SysWOW64\zpnag.exeC:\Windows\system32\zpnag.exe105⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\avzljf.exeC:\Windows\system32\avzljf.exe106⤵
-
C:\Windows\SysWOW64\ywlyegds.exeC:\Windows\system32\ywlyegds.exe107⤵
-
C:\Windows\SysWOW64\kdlwxxk.exeC:\Windows\system32\kdlwxxk.exe108⤵
-
C:\Windows\SysWOW64\zcxpcs.exeC:\Windows\system32\zcxpcs.exe109⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\auygeuyh.exeC:\Windows\system32\auygeuyh.exe110⤵
-
C:\Windows\SysWOW64\klryah.exeC:\Windows\system32\klryah.exe111⤵
-
C:\Windows\SysWOW64\qaqgee.exeC:\Windows\system32\qaqgee.exe112⤵
-
C:\Windows\SysWOW64\eztbskgc.exeC:\Windows\system32\eztbskgc.exe113⤵
-
C:\Windows\SysWOW64\ffqvepbv.exeC:\Windows\system32\ffqvepbv.exe114⤵
-
C:\Windows\SysWOW64\pigwvgj.exeC:\Windows\system32\pigwvgj.exe115⤵
-
C:\Windows\SysWOW64\bvlrvj.exeC:\Windows\system32\bvlrvj.exe116⤵
-
C:\Windows\SysWOW64\ttevs.exeC:\Windows\system32\ttevs.exe117⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\eholzycr.exeC:\Windows\system32\eholzycr.exe118⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\emjgiz.exeC:\Windows\system32\emjgiz.exe119⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\rpdcx.exeC:\Windows\system32\rpdcx.exe120⤵
-
C:\Windows\SysWOW64\slkjuewz.exeC:\Windows\system32\slkjuewz.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-