Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe
-
Size
485KB
-
MD5
20833d55ee686ee4b5e3dca815a71cfe
-
SHA1
9c44d4c2094dbe462a32d83e784ba30ed3526ee5
-
SHA256
8e8941c4436c0c4666d8eb89429be7421341f051e1b07a73379c0505a9feeafe
-
SHA512
2fcd668074474808b7130c34d888bd92be688794c4bb05b58ebad19565b7377ce69ad4ab729303401621718c9e4e3c44f17684d48a91a39684b4b9c0d948c7ef
-
SSDEEP
12288:ITpppppppp/ppppppppppppppppppppppppppppppppppppppppcbW26hcshXq9R:IyWFhz1q9NQ89qGEoE8yG
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TAQOna.url 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4472 set thread context of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2940 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe Token: SeDebugPrivilege 2940 RegAsm.exe Token: 33 2940 RegAsm.exe Token: SeIncBasePriorityPrivilege 2940 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2940 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4472 wrote to memory of 4568 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 85 PID 4472 wrote to memory of 4568 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 85 PID 4472 wrote to memory of 4568 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 85 PID 4568 wrote to memory of 2352 4568 csc.exe 87 PID 4568 wrote to memory of 2352 4568 csc.exe 87 PID 4568 wrote to memory of 2352 4568 csc.exe 87 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89 PID 4472 wrote to memory of 2940 4472 20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20833d55ee686ee4b5e3dca815a71cfe_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1tobw2vm\1tobw2vm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3345.tmp" "c:\Users\Admin\AppData\Local\Temp\1tobw2vm\CSCB1DA8AD6CAA4C52B0D55BB7228132D3.TMP"3⤵PID:2352
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4612
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d5af38f3a241f2a9af34f2334d309517
SHA191e017a1760dd645b3fa8817c4027aa61c7063f8
SHA2568bb9b812d17b486f42f4c677702ea26bd3cbf11ef600aae538484e603ec59daa
SHA512d75507e2c5c161ec5dc5a2b9237d960b5c547c822b85332af335c3ad0861aae6d4d7edd2a3f0f387efc735b1bb6680565ab9c30143e24b40f577dce736eada2b
-
Filesize
23KB
MD54c79802722827f414420be2cdcdc559e
SHA1601e88dd60135952e73678b81723b2472675f5f2
SHA2565999d7d030e71315dabd8b050c88cdb13e8fae1a92a9a5df772cd74ea5fc33e5
SHA512b22bb51cec3a740df0f3661bd7262b780a9e930ce2a2463b37d2c6b1f044f1d9059aa8b3953414cd4db59c2b1d0da04fdd8e84f874d2857a135e9eacc0ad4a2c
-
Filesize
1KB
MD52faef469509ed8c306a984b59930e66a
SHA104eda1eb0550fe4fb2151a0efcf93553cebbf786
SHA256417b238e9991f236acc36d015921710e902e348a36ffadebe8c5bde9a7f0dbe0
SHA51292e6cea6b70d82ba249477e632b9695b2f50ddc8bb724042de5dd0e375a326100623d27b7a65db7f3ac7e79840a35731eca45472a3e71fd363c735d5051e5ecd
-
Filesize
5KB
MD57327c4ad223fe0791d7c523b8a1f06be
SHA1148b97c8c52e904cda3a76e140945f467669c304
SHA25639caf78c097f1377287730f17d4929757566f10bf355ce4a1690d541d2f20ad1
SHA512c8214f55f7d6a524db6eda4e690cc429b8a9e497784dcf344a719d89dc44947f611169c95344c400dfaff84de3bb5ee01114d59fc8c9dcd0bedc71ee24a94c96
-
Filesize
248B
MD5c30d8edfe123272a47dd8df81bca46f3
SHA11000848500b08151d82c5c5de7c0e3bc53025269
SHA25693365c9365e3844b56adf6964887f2d5adfb3f9d6b938902c65811edf7ee15d8
SHA5125fb1d45248eb78231ccfb2a94831d9127e13e92ec287ef8ef47148ff388ba2d3d1c12ffd6608cee0163b554aa175856819206e6696087c260f586529ec9a85c2
-
Filesize
1KB
MD51f23e667a9b08ff9a395bd7bd71a0239
SHA1e5d028959010b7884a9b73dca1d4d601e67f7b68
SHA2564fa6d8e1a046e81fe41d4209fb774496c3c179cd76e0901767a7ca741285e5f2
SHA5125146f4950e248c8cbee24ae7a219cfbac0f99c8b3fff5a579fa8cf58ad6d3f03b1abf61bf796d2645784f5a0b9562d3b1310d92c4af6256be2f83f4220f95176