Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
063862283efc1a22008008cb542301a6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
063862283efc1a22008008cb542301a6_JaffaCakes118.exe
-
Size
349KB
-
MD5
063862283efc1a22008008cb542301a6
-
SHA1
ae57f6c8436f461f8a2711f0268db6d54203d2d9
-
SHA256
36a4251b94d63145e3c99aa6ede2ffa727bd78c5ff83255b0928b7c0c934ce61
-
SHA512
2f17708d074b8e6557b973a44d7a0d453330a04a01222a7e1dbe171fdca928b30ee76151201ae16550049a04134b9155517dbae540d94173aeabe08b49ef14c2
-
SSDEEP
6144:oOavk2p1sc2oNQlTlbm2AKnkB1/GB2FuO1D0Z4LGyvBcG4+hZCPCny2rWt+e2DH+:otk2pKhoWTl5JkB1m2Fu1Z4L34+hZCPu
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5080 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2392 X -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4040 set thread context of 5080 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 87 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2392 X 2392 X -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4040 wrote to memory of 2392 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 81 PID 4040 wrote to memory of 2392 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 81 PID 2392 wrote to memory of 1608 2392 X 82 PID 2392 wrote to memory of 1608 2392 X 82 PID 2392 wrote to memory of 1608 2392 X 82 PID 4040 wrote to memory of 5080 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 87 PID 4040 wrote to memory of 5080 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 87 PID 4040 wrote to memory of 5080 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 87 PID 4040 wrote to memory of 5080 4040 063862283efc1a22008008cb542301a6_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\063862283efc1a22008008cb542301a6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\6f42fddf\X176.53.17.23:802⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies registry class
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:5080
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5be40a2578e862f1cecc9b9194f524201
SHA10c379f375f9bcfab2e8d86161cec07fe4a7dbc12
SHA2562c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6
SHA51225fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8