Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe
-
Size
691KB
-
MD5
029a591fb87c8ebbd7588414b7a03f9d
-
SHA1
1902c03277aa90fd50e79985c8d3e0c03662f72e
-
SHA256
7350461a9be443ef4cf08a9c303c13a08c12cc0b90fc15f71840f05565aa52f2
-
SHA512
85f0743d447d3e5e36403a66c883698961ef0eab28ca747f1a683dfc2ebb57b953eba6050268ca6c3477f7f977fafd738487af42897927afa89c60064cbadbf2
-
SSDEEP
12288:W6SUiOOt9+jCe2v3Qn4W/bLqt79BC5erwUZ8WpwJF3Z4mxxUDqVTVOCA:W6Sht9yCe2K5vqJC5erwfW6JQmXDVTzA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5760 3.exe 5364 Hacker.com.cn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\uninstal.bat 3.exe File created C:\Windows\Hacker.com.cn.exe 3.exe File opened for modification C:\Windows\Hacker.com.cn.exe 3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5760 3.exe Token: SeDebugPrivilege 5364 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5364 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3040 wrote to memory of 5760 3040 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 91 PID 3040 wrote to memory of 5760 3040 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 91 PID 3040 wrote to memory of 5760 3040 029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe 91 PID 5364 wrote to memory of 5408 5364 Hacker.com.cn.exe 93 PID 5364 wrote to memory of 5408 5364 Hacker.com.cn.exe 93 PID 5760 wrote to memory of 5324 5760 3.exe 94 PID 5760 wrote to memory of 5324 5760 3.exe 94 PID 5760 wrote to memory of 5324 5760 3.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\029a591fb87c8ebbd7588414b7a03f9d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:5324
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5364 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
777KB
MD54ceb88b18a18bf88197d6c9032c565ba
SHA133492b16a638a794be51c1331a97c13e94bc7f04
SHA25664a1b05197833f8af011c935b46c41addb9d4d23c89e63a9a5d9c99a93bf2c54
SHA5125e79db8e46c1796f7fb859253c98ab550c9d69e78c0c8429cfdb1d8c542a076435af23507e836167a4d37b42ae2476f13c39ae9da3bce1082f4120f71e8d5929
-
Filesize
150B
MD567e4ea2c3e65d3236c8266b9c116f67f
SHA17e87f925ccd68b2b7c9af9f92e118db1990234f9
SHA2562dff6c390d03870cec06d16fe0191475fb87ad2330b78d03c15e7ff0bed8f00c
SHA5121a3cf0443e932b9b57f32531b3d61c917b9eec19a4ba73336011041e16a0022c5e62b2c768b34a0bdc08ffd75bbaa0338719577001496c9de8a5638420b0a229