Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe
-
Size
184KB
-
MD5
00516819f47c52733da5fac9c272e0bf
-
SHA1
3e8b1ebca19cf046ddff95dc2450a8270074e16f
-
SHA256
5e80116d30921452a2a36ce53cbfd49796cdcb3d87e8070b37b698c92c3e3c30
-
SHA512
b8b13ddc8740c70ec6d53c7d2c6d3a1e6be234dece536c865fa99511d3197d51427ead68a5a45039787ef9ae84b84c15b1ecc84480e02a564b6315f137fc78d0
-
SSDEEP
3072:9WV2IlsHbK+yDjiDND7h5lPnZ+Am27PVA4mzNnKvPR3HR:wL+LDN7RvZp5S4mknR3x
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2040 wrote to memory of 3024 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 92 PID 2040 wrote to memory of 3024 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 92 PID 2040 wrote to memory of 3024 2040 00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe 92 PID 3024 wrote to memory of 1184 3024 cmd.exe 95 PID 3024 wrote to memory of 1184 3024 cmd.exe 95 PID 3024 wrote to memory of 1184 3024 cmd.exe 95 PID 3024 wrote to memory of 1016 3024 cmd.exe 96 PID 3024 wrote to memory of 1016 3024 cmd.exe 96 PID 3024 wrote to memory of 1016 3024 cmd.exe 96 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1184 attrib.exe 1016 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\CRASHR~1\E455TM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\00516819f47c52733da5fac9c272e0bf_JaffaCakes118.exe"3⤵
- Views/modifies file attributes
PID:1184
-
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\E455.tmp.bat"3⤵
- Views/modifies file attributes
PID:1016
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:81⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506B
MD5064cf84b1b6e0d13e1b509fb82d298c7
SHA171a17cbb8bf80c350c2d010bd74de6ca86d5b9e3
SHA256b52de1042ae4778e03b4f3a1bb335ae1b777c9ece6eff592fa4192980569cd06
SHA512148a8e7978bdadc72409b5ccaaad1b47ccb7375e001158c3f9cce44ae43d5d3df666fa9d9453fdb8bff2059092820680600e102d32c1645f8618157b00ac0edc