Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
-
Size
209KB
-
MD5
f162da35436879620e40d6ccad225f73
-
SHA1
a756403fb1c035f70a3d508a83e2dcc38be3a613
-
SHA256
eab3e220aa4c8e86d6c1eab628dca854e0fdbe953920c65a4169609a31fd5f4f
-
SHA512
996158b2540bc7f41e0bf62056ddd3ed6e9290a871ebf8c9a6249685cce847488c86f448297766ac0aaef599653b0c354524583c93d26f9fa2c80d7904a1b3e0
-
SSDEEP
6144:zldXtrMT5ndLtnDo2P28a7DFl2tQqkOC:v9wFdLtc2+84DFl2qc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3948 u.dll 1556 mpress.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1276 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 116 wrote to memory of 1504 116 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 85 PID 116 wrote to memory of 1504 116 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 85 PID 116 wrote to memory of 1504 116 f162da35436879620e40d6ccad225f73_JaffaCakes118.exe 85 PID 1504 wrote to memory of 3948 1504 cmd.exe 86 PID 1504 wrote to memory of 3948 1504 cmd.exe 86 PID 1504 wrote to memory of 3948 1504 cmd.exe 86 PID 3948 wrote to memory of 1556 3948 u.dll 88 PID 3948 wrote to memory of 1556 3948 u.dll 88 PID 3948 wrote to memory of 1556 3948 u.dll 88 PID 1504 wrote to memory of 5052 1504 cmd.exe 90 PID 1504 wrote to memory of 5052 1504 cmd.exe 90 PID 1504 wrote to memory of 5052 1504 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\544A.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save f162da35436879620e40d6ccad225f73_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\54F6.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\54F6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe54F7.tmp"4⤵
- Executes dropped EXE
PID:1556
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:5052
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1276
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58538b78c03e73420e61fc787c11eedc5
SHA18cce66220d7c1ba66fea7e73307a7809a469d61f
SHA256337d6bc7a370da08d188a40d95d1053c3db5a135424a0fe21414aff7adba6355
SHA512d7de5421e3bfe9ac47bab8817904199236843076b4502c74b960116d4c09b0d2a2a8b903a7f39b4742f75b814fee2600e08ee8979a9198a0c73b24b1ebd6d6df
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD52962dfcac22070e3da981e1115397938
SHA109a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28
SHA256d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951
SHA5128efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a
-
Filesize
24KB
MD5b799e4b3cff5cefeb8355cff4153f617
SHA1cf39041f0b03033f148329b62c2f593ffb3ce8cc
SHA256e6f5642d95d82404f0c87ce3b455c662ad247d533cc01b0f454d194b244207c4
SHA51262e28c9cf91fd311d2dee021062a92eacf482455842a6f835afedfb368d84de089569ae032a37c85c05c4cc20d1e1aeeda2cda6e673fa42e00b80b19974b9f63
-
Filesize
700KB
MD503e84bf7ea2eba6e881e868ceefe2526
SHA109019ed20cf16847a264f5d1840ee0802f1778a6
SHA2568b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832
SHA51232a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026
-
Filesize
2KB
MD5ab9504b1525917562748b9e6b410400e
SHA1ba9184d38fb1083ecdf71b06954587b88fd5fb51
SHA256feee03f75de6678b47b290934c7fe8a5e32e6b0f28b706cf8bdab7c164e9c14a
SHA5129de451d9b0fab08c53a33e50f09688acd380213eed4f8f0b1704cf5cec8e2deeb138666feb72e0813dd0140f4a22ed4b33e29a42b40b72a4a62ef8201b64b723