Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/05/2024, 09:18
Behavioral task
behavioral1
Sample
a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe
-
Size
92KB
-
MD5
a13a17b39004d2d7cfddfdf593dde04d
-
SHA1
bf09ba32f8b775fd22afc11627f3a9f8bbecf390
-
SHA256
49ca89dc49848bf43c7689672f40d232d0910961cb5dd88d2157d1639f655a21
-
SHA512
463fe3f9fae565f83bbdd12ffa5971a5b9c67dcc8fd56ad34a05b7e3612da66b6b900431492bfcf28144b6dc277f2c999fe273edadcee262d0661d05cecac098
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtr2:9bfVk29te2jqxCEtg30Bq
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 1 IoCs
resource yara_rule behavioral1/files/0x002f000000014b63-1.dat family_sakula -
Deletes itself 1 IoCs
pid Process 2656 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1648 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
pid Process 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 1648 AdobeUpdate.exe 1648 AdobeUpdate.exe 1648 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2584 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 1648 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2656 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2656 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2656 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2656 1996 a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2584 2656 cmd.exe 32 PID 2656 wrote to memory of 2584 2656 cmd.exe 32 PID 2656 wrote to memory of 2584 2656 cmd.exe 32 PID 2656 wrote to memory of 2584 2656 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\a13a17b39004d2d7cfddfdf593dde04d_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD58fe68e47e05790c652b71db60bc9eda3
SHA1912a927c61ec2ff33e6b941ad3724612209802c5
SHA256009feba01e631d4153c1d9bc3bde3d4ceaa1e7d9e494af86132a83c62530bae5
SHA512b72ac1f7cfc786dac2e86cb984395b4d6b73fd89f082a40dbb2324db55f91635babfd1e74e2a3cd3e5d1e159079c7ed1588cb4e88b0cd8c7ae4166437087036a