Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:55
Behavioral task
behavioral1
Sample
0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe
-
Size
425KB
-
MD5
0ad0d4bfd6ba4d9ad762c8d4e2220a2b
-
SHA1
036818ac45af08b338b3d62e311f2ed09558b630
-
SHA256
f87dd479cccf500dd82327968b668f5859a2fd58a4300e787a0fff61f5195e76
-
SHA512
b0ef2c3d17974dc330992ec58454cb3ea0f9cecfb2f7c30d1e58624eaa38db4e372ca4c2431ff21fa7ec95e2ec369e6e9cca65c499ede870309a7e9b92e029a6
-
SSDEEP
6144:SkZWPKBXND6gRa9y/te9H9LgnVlL8VZBPdklwfNSJxyVaIk:SkZWPKBzQy/te9dUVlLGFkefNSJiab
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2504 Ugywya.exe -
resource yara_rule behavioral1/memory/2172-0-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/files/0x0007000000015cb9-11.dat upx behavioral1/memory/2504-13-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe File created C:\Windows\Ugywya.exe 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe File opened for modification C:\Windows\Ugywya.exe 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ugywya.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Ugywya.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main Ugywya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe 2504 Ugywya.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe Token: SeBackupPrivilege 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 2504 Ugywya.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28 PID 2172 wrote to memory of 2504 2172 0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ad0d4bfd6ba4d9ad762c8d4e2220a2b_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\Ugywya.exeC:\Windows\Ugywya.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372B
MD5e7759b12cd262a91762f9530fd079337
SHA11b169e5f2d2663f1b8ae98a8aab18449935059cf
SHA256cc0a31ab08aa3b275f6f237d4f8092e631970fb7132c57904b77127359155af9
SHA512f09f206b99da667cb7358a35fa46a7ba31e26f0eb33a5105ebf5f8e47eb0eb6fce286ce83257028e16228384dca7ceaf958c269f81411aadf6a8e102db727ea5
-
Filesize
425KB
MD50ad0d4bfd6ba4d9ad762c8d4e2220a2b
SHA1036818ac45af08b338b3d62e311f2ed09558b630
SHA256f87dd479cccf500dd82327968b668f5859a2fd58a4300e787a0fff61f5195e76
SHA512b0ef2c3d17974dc330992ec58454cb3ea0f9cecfb2f7c30d1e58624eaa38db4e372ca4c2431ff21fa7ec95e2ec369e6e9cca65c499ede870309a7e9b92e029a6