Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe
-
Size
534KB
-
MD5
1aeafb4aeda2e03af35db00806c4a752
-
SHA1
dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac
-
SHA256
cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8
-
SHA512
a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9
-
SSDEEP
6144:ZbuodmSEjapEQaFd8M6rjiiiJUWWAxlp4HqUhiNAyV31RFp07k0rqQ8:MAHlaF6j2iiJUWfl27iKQRFp4kV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1900 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1800 set thread context of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe File opened for modification C:\Windows\assembly 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4964 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1900 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe Token: SeDebugPrivilege 1900 svhost.exe Token: 33 1900 svhost.exe Token: SeIncBasePriorityPrivilege 1900 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1900 svhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1800 wrote to memory of 4348 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 90 PID 1800 wrote to memory of 4348 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 90 PID 1800 wrote to memory of 4348 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 90 PID 4348 wrote to memory of 4896 4348 cmd.exe 94 PID 4348 wrote to memory of 4896 4348 cmd.exe 94 PID 4348 wrote to memory of 4896 4348 cmd.exe 94 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 1900 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 97 PID 1800 wrote to memory of 3972 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 98 PID 1800 wrote to memory of 3972 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 98 PID 1800 wrote to memory of 3972 1800 1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe 98 PID 3972 wrote to memory of 4964 3972 cmd.exe 100 PID 3972 wrote to memory of 4964 3972 cmd.exe 100 PID 3972 wrote to memory of 4964 3972 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeafb4aeda2e03af35db00806c4a752_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵PID:4896
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:4964
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:1796
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
534KB
MD51aeafb4aeda2e03af35db00806c4a752
SHA1dd0a5862ffbccc7949e8fd6407ef4ee717ba4aac
SHA256cc29af4836750180f2e29745658cf1fd45302c2dc48c952cf38835370932a6f8
SHA512a797b0514d2325f4641d1aca542b2fa6d92f1ef71882f549ba0cc33c48ebc392d72787b4cf63a336c4a4220a47d06b2fe260f157b3d2f4346c7c54472f0edcb9
-
Filesize
204B
MD5bfcbf382f036462e63f307ca4ae280c7
SHA1ffe98d15fa5ea205220d6bc105e317253a6ea003
SHA2562c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727
SHA5121b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87