Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 18:35
Static task
static1
Behavioral task
behavioral1
Sample
faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe
-
Size
158KB
-
MD5
faeb8d4f45d421415cc765929307a38f
-
SHA1
8481beef0a651464d70f6f85c8e3fcd21afe1e4e
-
SHA256
d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03
-
SHA512
ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a
-
SSDEEP
3072:SpJDFUXhHxJPzCmyhV5SLI4Jf9xgZlGYN594LzsHJDu:SvDFUxHjbXyhCcgFaXVLeQHJ6
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 10 IoCs
pid Process 4972 winds.exe 4960 winds.exe 456 winds.exe 4780 winds.exe 4396 winds.exe 3168 winds.exe 4460 winds.exe 1260 winds.exe 632 winds.exe 4836 winds.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winds.exe faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe File opened for modification C:\Windows\SysWOW64\winds.exe winds.exe File created C:\Windows\SysWOW64\winds.exe winds.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 316 wrote to memory of 4972 316 faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe 87 PID 316 wrote to memory of 4972 316 faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe 87 PID 316 wrote to memory of 4972 316 faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe 87 PID 4972 wrote to memory of 4960 4972 winds.exe 99 PID 4972 wrote to memory of 4960 4972 winds.exe 99 PID 4972 wrote to memory of 4960 4972 winds.exe 99 PID 4960 wrote to memory of 456 4960 winds.exe 101 PID 4960 wrote to memory of 456 4960 winds.exe 101 PID 4960 wrote to memory of 456 4960 winds.exe 101 PID 456 wrote to memory of 4780 456 winds.exe 104 PID 456 wrote to memory of 4780 456 winds.exe 104 PID 456 wrote to memory of 4780 456 winds.exe 104 PID 4780 wrote to memory of 4396 4780 winds.exe 105 PID 4780 wrote to memory of 4396 4780 winds.exe 105 PID 4780 wrote to memory of 4396 4780 winds.exe 105 PID 4396 wrote to memory of 3168 4396 winds.exe 108 PID 4396 wrote to memory of 3168 4396 winds.exe 108 PID 4396 wrote to memory of 3168 4396 winds.exe 108 PID 3168 wrote to memory of 4460 3168 winds.exe 109 PID 3168 wrote to memory of 4460 3168 winds.exe 109 PID 3168 wrote to memory of 4460 3168 winds.exe 109 PID 4460 wrote to memory of 1260 4460 winds.exe 110 PID 4460 wrote to memory of 1260 4460 winds.exe 110 PID 4460 wrote to memory of 1260 4460 winds.exe 110 PID 1260 wrote to memory of 632 1260 winds.exe 113 PID 1260 wrote to memory of 632 1260 winds.exe 113 PID 1260 wrote to memory of 632 1260 winds.exe 113 PID 632 wrote to memory of 4836 632 winds.exe 118 PID 632 wrote to memory of 4836 632 winds.exe 118 PID 632 wrote to memory of 4836 632 winds.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1032 "C:\Users\Admin\AppData\Local\Temp\faeb8d4f45d421415cc765929307a38f_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1152 "C:\Windows\SysWOW64\winds.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1128 "C:\Windows\SysWOW64\winds.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1124 "C:\Windows\SysWOW64\winds.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1136 "C:\Windows\SysWOW64\winds.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1132 "C:\Windows\SysWOW64\winds.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1144 "C:\Windows\SysWOW64\winds.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1140 "C:\Windows\SysWOW64\winds.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1148 "C:\Windows\SysWOW64\winds.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\winds.exeC:\Windows\system32\winds.exe 1164 "C:\Windows\SysWOW64\winds.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4836
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158KB
MD5faeb8d4f45d421415cc765929307a38f
SHA18481beef0a651464d70f6f85c8e3fcd21afe1e4e
SHA256d56d7a34bfafd4cb0ee8a63440bd77dc19a64fe9acb94f372b70d53f76327b03
SHA512ffa36bbbaae069ac310aa5af351a74f75aa6fbfdc9af4bd5ff957e63552f9650b4c800ef9995847fa64f83db2566512b800cdfde0a0d650e5e0ae59b27106c5a