Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe
-
Size
356KB
-
MD5
0c0bd343cfb9cc71e7dd1325e8410c53
-
SHA1
d8dc95c38d71a1b4fba163a014ad9465c0eff587
-
SHA256
5878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
-
SHA512
4eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0
-
SSDEEP
6144:BZ0FkvPi5sZ2Dzwcnj67Q6SSfxEmJCG16SSfxEmJ:4FGPi5Bz6c6lfr96lfr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3096 CCTV.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf CCTV.exe File created C:\autorun.inf CCTV.exe File opened for modification F:\autorun.inf CCTV.exe File created F:\autorun.inf CCTV.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe CCTV.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe CCTV.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe CCTV.exe File opened for modification C:\Program Files\dotnet\dotnet.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe CCTV.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe CCTV.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe CCTV.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe CCTV.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe CCTV.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CCTV.exe 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe File opened for modification C:\Windows\CCTV.exe 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe File opened for modification C:\Windows\CCTV.exe CCTV.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 3096 CCTV.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4692 wrote to memory of 4564 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 83 PID 4692 wrote to memory of 4564 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 83 PID 4692 wrote to memory of 4564 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 83 PID 4692 wrote to memory of 3096 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 85 PID 4692 wrote to memory of 3096 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 85 PID 4692 wrote to memory of 3096 4692 0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\0c0bd343cfb9cc71e7dd1325e8410c53_JaffaCakes118kill.bat2⤵PID:4564
-
-
C:\Windows\CCTV.exeC:\Windows\CCTV.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
900KB
MD580b4385a190e097666c587b9332392a9
SHA14edd4e16ce3ae64396af501ce80619c557047b6a
SHA2569b974e43cc297680fa78ae9eadba9014ab0f1b8a617e759a4735c9ccf2213a3f
SHA51277ecc64f3e5fb1ff2c1c51e7203a7aa5996c762e5e14439a81191008fe84e78ff60180777727366c6f3cc4a85be4cc3e3cbf394e87d0b9564925e87ae9bd3cec
-
Filesize
216B
MD5ee6b3f4fa78ec0beec057271b2898042
SHA1128a2a6a8b9da590d4d25c67488bbd412f8d8428
SHA2565b1b29fb17c068e47723f4906fd2ebd43c21e6cc0edd1fd65589b7bf3c592ba8
SHA512ec473d6227b7ad64b3c05d05126cd29a1ac3ffe523e65a115f7953244244343da3b503c8b2820bdf6b8c0a07d4649700cf30c5089f6d7dff6cf420016f2b36da
-
Filesize
356KB
MD50c0bd343cfb9cc71e7dd1325e8410c53
SHA1d8dc95c38d71a1b4fba163a014ad9465c0eff587
SHA2565878146740e08f9e44bda44e69217568214bd101c514c63e876302d31c20209a
SHA5124eaddf11a4904b60809ef64420cef357e1ddebe529e2ee7aeaf8d4725ce8f21645223fdd9a105dc2442aae6da2b955fdaf7b53759640e9ee8d4be5b1021f94d0