Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 11:34
Static task
static1
Behavioral task
behavioral1
Sample
f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe
-
Size
40KB
-
MD5
f0f621acaad2f2a1c5982e4c8dd57a00
-
SHA1
b36f1d3cdb9ed67714fda138c82f931b90f63f75
-
SHA256
e54310d51c8fa33be1ff614eeea026f47d1a7f43b6fe7d35d8f7920763fae26e
-
SHA512
690a9379d160df5bd68c02430a05e0a67006fc0e0371fb37700563b6f87002a553bfc931300c7deeeb6255ddbf261547d8d19108ccbcf8eecb6a61abf6c36320
-
SSDEEP
768:aq9m/ZsybSg2ts4L3RLc/qjhsKmHbk1+qJ0UtHch:aqk/Zdic/qjh8w19JDHI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1312 services.exe -
resource yara_rule behavioral2/files/0x0007000000023403-4.dat upx behavioral2/memory/1312-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-13-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-17-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-27-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-40-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-41-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-45-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-180-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-181-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1312-185-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\services.exe f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe File opened for modification C:\Windows\java.exe f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe File created C:\Windows\java.exe f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1312 3052 f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe 86 PID 3052 wrote to memory of 1312 3052 f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe 86 PID 3052 wrote to memory of 1312 3052 f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0f621acaad2f2a1c5982e4c8dd57a00_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5d9ff415053ad1d3b7522b875e8987418
SHA1e2040cb0e215690b678e277f2426eb1402321df8
SHA256b80c743ca891ceeb66be769657383bbf2bddb19c1bc8970695ceda1e45649171
SHA512374b3dddfb50a876b39985f2decfd500e2bc1752728f0bc64cf0e09f7ca96e49ffed9678cf408e8a9df6ea507a8f8cd1908da153e0c265a6ef2aa6af6c381d82
-
Filesize
40KB
MD5c374845d3050ae9e82bfcae30f897c7e
SHA135b50699ca4d8c059716d8eeb4a7cf07bb7ce35a
SHA256aac9a1a2f2a3caf29499c66390f5ec2e589b8a17df4f8e3cbcb4df094809e92d
SHA512054006bed905d08f183b7543c85df0ea1cdb6b2f5c11289ebbd7437dc49efdfbe46f0111bd478b59eb0a1b723b62d32cde93842bcfa8db500faef591514a9cfa
-
Filesize
1KB
MD5a6cbf7721555767fdde71750ef69edad
SHA1dce57bfd842371b64dd3a1e1b2b0db904ba2a279
SHA2562d61ba1918bc74ba3be37e803e16fdac7f78ead00f44d7b50809fd267d65a5a6
SHA512100c10276d6f710fccc0732481a29ed447e44bedc8c365f60d8671e340c510f91274ae4c7860bf49e30e2918aa9d3209d184b48556d1296cba0738a3ca8a5bf2
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2