Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 08:57
Static task
static1
Behavioral task
behavioral1
Sample
0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
0e0f26990fcd9cfca701cf0a3b5453ef
-
SHA1
03535fcd98358f9b223198665de99b0445200151
-
SHA256
47faf970d9ffbd4b00d71422c8d085031cc886cc38f954f944795919077110e8
-
SHA512
e8ed55c83645e25afcf3e918cd59224c95df3bff3d0b701f1367ceae2542c2aa1f2d3822a3945d9f06560e3c012e7beb63831c7bf74baa46e79807863d108204
-
SSDEEP
24576:xqqG0ss+JPptGgRUbUrMymVxVYRdZDoHyhVr4B2+WFw2:rG0aPpUgvrMymVxV0Z8SVSD6l
Malware Config
Signatures
-
XMRig Miner payload 3 IoCs
resource yara_rule behavioral1/memory/1684-30-0x0000000000400000-0x0000000000504000-memory.dmp xmrig behavioral1/memory/1684-28-0x0000000000400000-0x0000000000504000-memory.dmp xmrig behavioral1/memory/1684-34-0x0000000000400000-0x0000000000504000-memory.dmp xmrig -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtHgNeMqRB.url wscript.exe -
resource yara_rule behavioral1/memory/1684-21-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-27-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-30-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-28-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-24-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-23-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-26-0x0000000000400000-0x0000000000504000-memory.dmp upx behavioral1/memory/1684-34-0x0000000000400000-0x0000000000504000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1268 set thread context of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe Token: SeLockMemoryPrivilege 1684 notepad.exe Token: SeLockMemoryPrivilege 1684 notepad.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2484 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 31 PID 1268 wrote to memory of 2484 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 31 PID 1268 wrote to memory of 2484 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 31 PID 1268 wrote to memory of 2484 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 31 PID 2484 wrote to memory of 2368 2484 cmd.exe 33 PID 2484 wrote to memory of 2368 2484 cmd.exe 33 PID 2484 wrote to memory of 2368 2484 cmd.exe 33 PID 2484 wrote to memory of 2368 2484 cmd.exe 33 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34 PID 1268 wrote to memory of 1684 1268 0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e0f26990fcd9cfca701cf0a3b5453ef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.execmd.exe /C WScript "C:\ProgramData\ADwXcSSGvY\r.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\wscript.exeWScript "C:\ProgramData\ADwXcSSGvY\r.vbs"3⤵
- Drops startup file
PID:2368
-
-
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\ADwXcSSGvY\cfgi"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
796B
MD5c82bd86f2d2a47c38580470130d1bfb1
SHA15bb0b3ad1241e0cfe9825d4dffc8e44a3c4335f8
SHA25661c106a638366ad618d8d8766ff0d9d8632907868d6b534e35c59461330ff072
SHA512e627d0f8d4c019b16078448f9351c4cb12d32cea48182fcdff2bc4d1cf410618358c4572bbfd5f67d192fc9278ea04b2aca64e967230470052fe45c97060e905
-
Filesize
664B
MD593b9bfbc16702b4a580b1b10ade41669
SHA1c46af90cfafaa8feff2a9c1563a2da73b6f9bf96
SHA256e14122ddfd187d32e2cf73411a885bc2fae9990ed719d162b8081b92f1419d28
SHA512ee19ac86906445d342a2d0c024dee7dd8729cc1cc3d7172dbe3fd37cb70fc732d7feba639f06382a4e678a6adcea1eb18a01b3588c9823e2450791723c84752a
-
Filesize
75B
MD52b379682588c1bcb623e04d20869a310
SHA1bdab53a1491407f835c38bf817f62b43713abd37
SHA256854654abacce4466699d85a84e4998e1e984219e6ce5763596be2471186c7ef6
SHA51208f721ad3bee99d7543b1f86bc22f9b9c5e11d56f9f7ee1666e161daf109d97db02741443f324c0f5d653cbd398c032d7258981887f2f76c8e007803e3791b02