Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
-
Size
456KB
-
MD5
f9c314deffc6ad255a00239c8a6e2da8
-
SHA1
a0165f8fe3ea96f80cb4a83d07aea75284f060e3
-
SHA256
072253aa1c91cbbb84fec7939caa7e219446714a9e4a9849519a614dc4c6ba8a
-
SHA512
01fac65c0f113f018c8af496feb5d965cc01cb9235c3168430c00714aa0dedd264524000085e3f861ad0a5ba7a3faf691dec45234e58a076351dbb1c618bfacd
-
SSDEEP
12288:ftSj2nNYDHQBUWqCmBby7qkCPlgIzUAuk:lSEaHSIOn/IL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 932 mG01805EaKdK01805.exe -
Executes dropped EXE 1 IoCs
pid Process 932 mG01805EaKdK01805.exe -
resource yara_rule behavioral2/memory/4064-1-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4064-14-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/932-16-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/932-25-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/932-33-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mG01805EaKdK01805 = "C:\\ProgramData\\mG01805EaKdK01805\\mG01805EaKdK01805.exe" mG01805EaKdK01805.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe Token: SeDebugPrivilege 932 mG01805EaKdK01805.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 932 mG01805EaKdK01805.exe 932 mG01805EaKdK01805.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4064 wrote to memory of 932 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 89 PID 4064 wrote to memory of 932 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 89 PID 4064 wrote to memory of 932 4064 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\ProgramData\mG01805EaKdK01805\mG01805EaKdK01805.exe"C:\ProgramData\mG01805EaKdK01805\mG01805EaKdK01805.exe" "C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD5e118fa1bdc37202853792a41129871fe
SHA118c02318547470643e2fc48dd9c2a0f888515879
SHA2568d27a140e6cfb397710e8e0fd8e1ff1b9c2e6c340997d658d5cbceb88a49b492
SHA512c91aa56ee6ad7764991ca99d510029154ef42c78af37dc740acdeebf4e2605e1790bf95273fe38e2963d980d9c37eaf2a7e9456a31bfe1e0e5a27e92590c0d52
-
Filesize
456KB
MD59fff5c45ba6b11d271d56b9eb9078ad4
SHA1ac8fc09070b6b1b2b79afa2b47328b6a234d14c5
SHA256e053a2f765c960e1fb1180028eea51fae3d0aa35af1671e46de60d2627c9c804
SHA512c1ee7713a3b52be0cb38fc3e5126d7a6c210d8eee712a66aee57ac4b649fd6a2abd1f185e7231d2e830849a198c260775cd8e3e7b6749d3b226df467fa3cb1b6