Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe
-
Size
64KB
-
MD5
edc31966423e375ccfd7c4b32b1f71fd
-
SHA1
0bd52e03776a4358e72e37bca209f53e661387c2
-
SHA256
e23d884dfeee80866b21588e94225eb6fc4fdca8cd4ea4d81a87e62957efb3d6
-
SHA512
4f6c7d2cd851e38cb3f86d93426712028c82af07a41613fe563dc3e026285397e433d8deab3097c966ba36f4ea140caa89d192bc7f4c2687864047d4be50729b
-
SSDEEP
1536:ull7pevhx+wcMHvPT7wdLX6mJlD+ndvC5GM9vj/RS+HLLvO:ullYvhxzhD7Q3bD+dq55jpSCvm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3676 outlook.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\sys32.exe edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe File opened for modification C:\Windows\outlook.cfg outlook.exe File created C:\Windows\sys32.exe edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe File created C:\Windows\outlook.exe edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe File opened for modification C:\Windows\outlook.exe edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3540 3676 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3676 5052 edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe 85 PID 5052 wrote to memory of 3676 5052 edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe 85 PID 5052 wrote to memory of 3676 5052 edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edc31966423e375ccfd7c4b32b1f71fd_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\outlook.exeC:\Windows\outlook.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 246363⤵
- Program crash
PID:3540
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3676 -ip 36761⤵PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502B
MD569070c9c248dab474f8ad58a9e0cfb85
SHA130b3f53ed89327478675c90157ac1dca7b1186f8
SHA256dced2cf0840a497659230d9158fff56435ca5e542e0877e77e578149f8d97316
SHA51225742f5b6c722e297e412d756aa0a1a01037b58fd0562b4bb58f30c7bd9d101010c7329cd7fb103ba8f2643010e30c1584f693916232458a4aeb49447514c756
-
Filesize
519B
MD5757c149c0d723cce371137d258976ee8
SHA1931fa9763b0d846e7518a6bb80905ede12840886
SHA25625d501dc34493ed6dbb948558556fe49b3c157fd2c8122f434810d95ca30bbf3
SHA51207a762832df04c1ab9148b38d7ed7b4613200f1f605018b1865205f986c05ec816571665f9662f767057a1c8da095e56b21016c68b5196fe906a71e825d29139
-
Filesize
835B
MD5758fc2ffad022af6b40b7b43224fdf09
SHA1b393c3e47c9deff120290f1c635e4ad6beed0f8d
SHA25695816d7be0f2687a078352f212fc7df0d391c10977d5d9aee87d0cce83a2d4a4
SHA51250f81a19b92ca1e5c89f9380ca9d1b20bc584811d1a7b00a66d4abaa21c9df0fa9799061f9a26e7b6104697b390df9ee5febe8df855f6856fe318f1180499eb2
-
Filesize
1KB
MD54799c33dc1ebae613146547cc836c503
SHA17b8d76b1f29bb04c5bf61e4b6a30581b5d513074
SHA256f0d09e4e23a442fd98e08fd135a0ee51e0484327da5c5c5bf773c9f9143fdec9
SHA512d2a47099b3048ec8adec64691ada25122af645ea3ba126c6dcd5086a3b1c988b6716c2cb4dbb37ca2aa23169972bca27f81b1c52d1252fe901dda24287516959
-
Filesize
49KB
MD50e9379e357aba95f8b9883af9b67675e
SHA1280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA25696b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA5126cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784