Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe
-
Size
208KB
-
MD5
fc81235e35bc93e91cd97ec890c02b74
-
SHA1
b12a844774261070d3123de14371afe1588c74f2
-
SHA256
80e70808c8138bd4c11cb151e3ac1e35e550c545d7670206499da8e8b0f6a953
-
SHA512
c3bfaae2c669143275d48d2b1d02565a6341be254e5dd5614d0882cb6084fbc6d95e3a12c46def8b00a2c3beb807b912694e96a9449d10ce92815c0d2693235e
-
SSDEEP
6144:hl4mjZF//MrI3L0SksjkIwUc7zJ66cgDKgr8wVcmzt:Zr//eMkhIwUc70mD/Bcmz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2172 u.dll 4900 mpress.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4920 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 8 wrote to memory of 4152 8 fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe 90 PID 8 wrote to memory of 4152 8 fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe 90 PID 8 wrote to memory of 4152 8 fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe 90 PID 4152 wrote to memory of 2172 4152 cmd.exe 91 PID 4152 wrote to memory of 2172 4152 cmd.exe 91 PID 4152 wrote to memory of 2172 4152 cmd.exe 91 PID 2172 wrote to memory of 4900 2172 u.dll 92 PID 2172 wrote to memory of 4900 2172 u.dll 92 PID 2172 wrote to memory of 4900 2172 u.dll 92 PID 4152 wrote to memory of 3660 4152 cmd.exe 93 PID 4152 wrote to memory of 3660 4152 cmd.exe 93 PID 4152 wrote to memory of 3660 4152 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\105.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save fc81235e35bc93e91cd97ec890c02b74_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\431.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\431.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe432.tmp"4⤵
- Executes dropped EXE
PID:4900
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:3660
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:4424
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f9d41dcc7d7787236d2686e50750b32
SHA117ec9a93fed688a6529fb857c22f619e6cf45f5f
SHA256472e148396788a4b678d4c7ed237e7c5577ad4758c9fee990bdbeb36f802232c
SHA5120cdace403fb99c76ab8c73c349e61f4cb6c155cf43bd7d528e6d6b200fdea5a7c55cf302edd817244b1054b5f0cac486722a367766ed7cc3cccf4abd86ea8d38
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD59cdcf02f847ddde1f3b62c676c5cc737
SHA11e28bc7716cb6adb55b1b397dbabbe31adba3cf2
SHA256d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae
SHA512438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92
-
Filesize
24KB
MD58dd52bfe2f56ec20402bef5dafe49e83
SHA1c29e3c436ab92db5326b5d31455202accf8cc98f
SHA256e35ee21199e637983ccc35c7b648e694f6e5d6993ec12fe99db553270331a880
SHA512ede99c417e95ef2fd36e8532d7e90cc4ba81800a8d826a0a17ee87e48152013e1cda09bdc1b74f567ee393248a283a443297c9e249ccd544cfb6fcd1ee2b8871
-
Filesize
700KB
MD5ac3e2f16df5b8e004bc7528957957c95
SHA1318dfb96abdc8e9d3778788dfdbb1f3dba885fba
SHA256c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2
SHA5124c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4
-
Filesize
1KB
MD57d835ca670a67d265dfc3109269b5d39
SHA16c6de3dcace396aa12e7fa1bc316ed3f108e34f2
SHA256dadc386394b7609e551df7be525a868b388c0585f6ef705978fb1965a9e1bc21
SHA51218d88a08944a68bd1831874a18b10de4fff3c5c023a802afa227093a647d176e2af4c37736ceb6ce5193516e6f2d831423de1481344fd89b28e0e1a8bc3e0e91