Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 10:16
Static task
static1
Behavioral task
behavioral1
Sample
1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe
-
Size
11.0MB
-
MD5
1245085f62bf86866aabda07b1571e66
-
SHA1
fd38a9466f2bccfd4dd4f369f8193dad7e98600a
-
SHA256
d7520ea2598f8f4c8e00c07b649c195aa811d47a471c47a971c692988180e892
-
SHA512
5a3aa6bbac27f596f58fee6f218f418bcb57f660721553199381d79b4fc863fab49a71a5ae3ec39264ed83f86bccda7bc1a41d7d61a52c547428ff2cb12d38d1
-
SSDEEP
196608:f9Grhc9G2hohbUyJanVj9taZeUFtpW6u7HSbZqktxr0zQc2wxUiBebgOvjl:FGrhyG2hohQyJiXtattpW6ubSbYkt5OE
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\M: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\O: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\W: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\X: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\Z: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\E: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\K: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\R: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\V: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\P: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\Y: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\L: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\N: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1704 msiexec.exe Token: SeCreateTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeLockMemoryPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeMachineAccountPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeTcbPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSecurityPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemtimePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeBackupPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeRestorePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeShutdownPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeDebugPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeAuditPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeUndockPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSyncAgentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeEnableDelegationPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeManageVolumePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeImpersonatePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreateTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeLockMemoryPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeMachineAccountPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeTcbPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSecurityPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemtimePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeBackupPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeRestorePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeShutdownPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeDebugPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeAuditPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeUndockPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeSyncAgentPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeEnableDelegationPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeManageVolumePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeImpersonatePrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeCreateTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeLockMemoryPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe Token: SeMachineAccountPrivilege 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3636 1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1704 wrote to memory of 4548 1704 msiexec.exe 89 PID 1704 wrote to memory of 4548 1704 msiexec.exe 89 PID 1704 wrote to memory of 4548 1704 msiexec.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1245085f62bf86866aabda07b1571e66_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E4E82664528912868B4D718B6A59F0E C2⤵
- Loads dropped DLL
PID:4548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
886KB
MD516833d30bb20361ee3a177e99ee63e88
SHA1420142ca317d757f8eb2e5cf09e57544d31474f6
SHA25618ec1de7a8191de24151d6517def4a45817e339b1cf485065abc0303073f00ba
SHA512753f08053f3c379c656ef0019ca5943d376b38e54c1ec5c24373ae7af6d677dc9a405e3b54ed14f656b2afc4a1ed48dd9a6dadea6f321f5c092ae3326bb74579
-
Filesize
14KB
MD53f4243fd51a3d9dbaf81f4fc712a67ea
SHA1f0e86f29b54379810b40b61829fc20e674913eee
SHA256c60da07a8edc7d37234b1a7e6af21d88ef5302bdf8c33bd45cff6b15b0599ff5
SHA5122984e977fedaead6b164bfd77affa4607be22fa585dd1f8534d7f2548edc7efb0906cb40280b7f22f9a1688c2ed88c71c3a216b25c532589e330cb8cf5ee9222
-
Filesize
91KB
MD5e82cfcfc5b1e271bb0ea368ee0697cc7
SHA1d8904f05ae4447b6bbb23466d73186abc5ff4db0
SHA256adee901de613487edd9c80d199340875bd1faed7b999eee452e6b136865bca28
SHA512964738a62a85ef52e8cd16c54bfe85a8e24f614c26d4809ddc153276b2012de475e3011c98f59f5dd37e60f0f9e9da4c8b1df5c2c34224a9dc1bf714febd040c
-
Filesize
297KB
MD5510f289eef8c9f856466e58796553029
SHA1a1a7a7b96fa2b087b2e2152bffd0a84557b807e1
SHA256cf8d8ad4abe18a60292083867749793ea40d274664abd49d3acf2ba9a305e7a0
SHA512e66292583d165e68bb02a6fca55041d1079a5b18805ac357d749f4cc6f9a9cd2456866366b3d2dd297695db858c572789e6a73654d73a73caae047efc4b4fcf6
