Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe
-
Size
408KB
-
MD5
f436ee86c9aa9c0dda6358a6c58f390a
-
SHA1
85c8956ff4404c81734576673b63202dec2d1bb5
-
SHA256
4eaf2a90b0cf7e4c1df1670f3c9d25bee9f245a4e8f7fe3d02a225a4077378fd
-
SHA512
125558319620fd6d90403e50965d3c85d6f66db523e88bee6235f94147424c347d6603bceb64f961340e5dcec4bbc48b2d403aafe4487e430db8bd5a9a6fd0dd
-
SSDEEP
12288:jOxhyZqMU8BBFesAMmDQmqO+48Z8PmSy:yxU8ByAMmDPE
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe attrib.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "NOTEPAD.EXE %1" f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3260 wrote to memory of 4872 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 85 PID 3260 wrote to memory of 4872 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 85 PID 3260 wrote to memory of 4872 3260 f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe 85 PID 4872 wrote to memory of 2368 4872 cmd.exe 87 PID 4872 wrote to memory of 2368 4872 cmd.exe 87 PID 4872 wrote to memory of 2368 4872 cmd.exe 87 PID 4872 wrote to memory of 1156 4872 cmd.exe 88 PID 4872 wrote to memory of 1156 4872 cmd.exe 88 PID 4872 wrote to memory of 1156 4872 cmd.exe 88 PID 4872 wrote to memory of 1364 4872 cmd.exe 89 PID 4872 wrote to memory of 1364 4872 cmd.exe 89 PID 4872 wrote to memory of 1364 4872 cmd.exe 89 PID 4872 wrote to memory of 1424 4872 cmd.exe 90 PID 4872 wrote to memory of 1424 4872 cmd.exe 90 PID 4872 wrote to memory of 1424 4872 cmd.exe 90 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2368 attrib.exe 1156 attrib.exe 1364 attrib.exe 1424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f436ee86c9aa9c0dda6358a6c58f390a_JaffaCakes118.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c .\TALme.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\client.exe -h -r -s3⤵
- Views/modifies file attributes
PID:2368
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\Explorer.exe -h -r -s3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:1156
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\internat.dic -h -r -s3⤵
- Views/modifies file attributes
PID:1364
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\notepad.jmp -h -r -s3⤵
- Views/modifies file attributes
PID:1424
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
363B
MD5ac5efe21e1b1f47f1db39aaeac450d32
SHA19c0c7baf260fa29797411762e6ffc81be0cc5909
SHA2565cc75cad64ad86d63ef590b5e2d79d2c054fb42c863b7bc5e63a35986ce37894
SHA5120ac9b2622c38a6e5b3e3d846442b92371b4ade85960d15c87e36f4566f589e9416327f160bda824e21f036b545902ac3bab4b824d0ff6d1601d4cf60f6660703