Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe
-
Size
631KB
-
MD5
064785a185279296229b5c4ac0c789ef
-
SHA1
137e2609d96ce80c074ac77114b11fdd24abc850
-
SHA256
5479e9b06ea8773617411f286263356970795cfd6473e2acbf9f1f60367cca57
-
SHA512
05f60d711f99c958bb4c904be8cb7080ad5f572d335ee4e9ad01e8cddde2d010b04177f3f2787250141796e20aedad16dd5a3fbba01a0d80b0de6578eeff7aa9
-
SSDEEP
12288:AzbV3qR4M+1Aq5vNd8Tcr2WEzSZh7rEF3Z4mxxlRDGdAp4feSAAoO6A3uMd:AzbRq1/q5v78owzSZh7rEQmXnDu2SpoE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3908 Hacker.com.cn.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1860 064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe Token: SeDebugPrivilege 3908 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe 3908 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3908 wrote to memory of 3736 3908 Hacker.com.cn.exe 82 PID 3908 wrote to memory of 3736 3908 Hacker.com.cn.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\064785a185279296229b5c4ac0c789ef_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3736
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
631KB
MD5064785a185279296229b5c4ac0c789ef
SHA1137e2609d96ce80c074ac77114b11fdd24abc850
SHA2565479e9b06ea8773617411f286263356970795cfd6473e2acbf9f1f60367cca57
SHA51205f60d711f99c958bb4c904be8cb7080ad5f572d335ee4e9ad01e8cddde2d010b04177f3f2787250141796e20aedad16dd5a3fbba01a0d80b0de6578eeff7aa9