Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 10:23
Behavioral task
behavioral1
Sample
f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe
-
Size
11KB
-
MD5
f34a2ee3feeae70a8bd31996092c2790
-
SHA1
f58f45b57694b81b03c3316c3f6725e3793c2a1e
-
SHA256
927105ad77742082b54887f20f4ce0730054c5f04ff2b0f156c20590072f7561
-
SHA512
8d77e1bda84f10227a42dc5a6a6990515e85793027d4f609bf259ebe417bde44133dfdf3938992f2424d1074ef4fecc8626cdd23334a54a11340206c9749e0e3
-
SSDEEP
192:0lSrnIjKo0NXXnOyEd76Sh4rIaR6LND9fTYQiigew6BXF5R1ERPL5ni:0lSrnIL41EN3h4EhD97SKhJ
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2796 kandofnk.exe -
resource yara_rule behavioral2/memory/4356-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/files/0x0009000000023404-4.dat upx behavioral2/memory/4356-6-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2796-7-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\kandofnk.exe f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kandofnk.exe f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe File created C:\Windows\SysWOW64\kandofn.dll f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4356 wrote to memory of 2796 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 86 PID 4356 wrote to memory of 2796 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 86 PID 4356 wrote to memory of 2796 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 86 PID 4356 wrote to memory of 1544 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 96 PID 4356 wrote to memory of 1544 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 96 PID 4356 wrote to memory of 1544 4356 f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\kandofnk.exeC:\Windows\system32\kandofnk.exe ˜‰2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\f34a2ee3feeae70a8bd31996092c2790_JaffaCakes118.exe.bat2⤵PID:1544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5956addcedc7c0bed7b95e527ec362db3
SHA12f9a4e5f2f18e135343d2a17296a1ec63bf5d30e
SHA2562ec1d3411c54f5f4a873366831d730571b968eca98281a9d7ed02f7893b7c4f7
SHA5120217a55485bab44435bc120f6de309feb884f31031e932a48c7e9c0f6ffa2d21827a9fd48447d0d690fcf6130361978a7b7e974f7341b510a06fbfa82f258c56
-
Filesize
11KB
MD5f34a2ee3feeae70a8bd31996092c2790
SHA1f58f45b57694b81b03c3316c3f6725e3793c2a1e
SHA256927105ad77742082b54887f20f4ce0730054c5f04ff2b0f156c20590072f7561
SHA5128d77e1bda84f10227a42dc5a6a6990515e85793027d4f609bf259ebe417bde44133dfdf3938992f2424d1074ef4fecc8626cdd23334a54a11340206c9749e0e3