Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe
-
Size
373KB
-
MD5
ec55fc7a83f60c7683b70e5dbc8e2f24
-
SHA1
34d729c7e89ccda6295b34291978b6cd0be091bb
-
SHA256
8d522ba79151c8f35350e80ac7c6462d3d26d88229a0cd511bb63ae26fe41973
-
SHA512
bc93605e870e16cf44a9653e24fc49416615feaa689694c3cb7f7bedd36ed58b70ff7b0f75b11787f511c39c94d2e0b4e5b0bfadafb37f9fc8273166adb2e7a9
-
SSDEEP
6144:JlEG2aILgM2u+nmzK6QgSuHL5vj6pN/teIecjq1vsGX+v7MqvnTJ28THJYC:VIEGpzK6FSkFviFzq10GX+flpYC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5056 Ravsys.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe File opened (read-only) \??\H: ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Ravsys.exe ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe File created C:\Windows\Ravsys.exe ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1568 5056 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe Token: SeDebugPrivilege 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4400 wrote to memory of 5056 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 87 PID 4400 wrote to memory of 5056 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 87 PID 4400 wrote to memory of 5056 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 87 PID 5056 wrote to memory of 2388 5056 Ravsys.exe 88 PID 5056 wrote to memory of 2388 5056 Ravsys.exe 88 PID 5056 wrote to memory of 2388 5056 Ravsys.exe 88 PID 4400 wrote to memory of 1504 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 94 PID 4400 wrote to memory of 1504 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 94 PID 4400 wrote to memory of 1504 4400 ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec55fc7a83f60c7683b70e5dbc8e2f24_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\Ravsys.exeC:\Windows\Ravsys.exe Ravsys2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 13043⤵
- Program crash
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~SiGou.bat2⤵PID:1504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5056 -ip 50561⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD5f67ef9d82f9418b517232f08019dc9d8
SHA172de257be6195c12d66d03b7c0e6585e32ee2c26
SHA256c295411eae195d54f2e9cf6efbe12e6622acdc671080dcdad1f3f49c7bf4aa0f
SHA512ea4908c44f07ff4c88b159e12e4c6b909512d4a0d055b5d841fdcdc6224a4b214534b37c2422985007887dacc45e46b0c58c1ed43f246fa2d55b28d4b76b56e6
-
Filesize
373KB
MD5ec55fc7a83f60c7683b70e5dbc8e2f24
SHA134d729c7e89ccda6295b34291978b6cd0be091bb
SHA2568d522ba79151c8f35350e80ac7c6462d3d26d88229a0cd511bb63ae26fe41973
SHA512bc93605e870e16cf44a9653e24fc49416615feaa689694c3cb7f7bedd36ed58b70ff7b0f75b11787f511c39c94d2e0b4e5b0bfadafb37f9fc8273166adb2e7a9