Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 09:35
Static task
static1
Behavioral task
behavioral1
Sample
07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
07bd0e8cd65f3671801780525b763f21
-
SHA1
eff6e18dbe9256e249de82c244e2d88e03dcf525
-
SHA256
18872a45bdb893140f8a91e6a17999227eed1f97e422f6b68e14ad019af61cb9
-
SHA512
faee415aabb24a1b0b36d8bf23a4745d0ba2f355f4dd36f3fcf07dd8d3482715a865e88d008e7555915f2e320d7e8568bd9943fe4b8150e7838350e303eae8e8
-
SSDEEP
12288:U4qJPu3O2Obz06e682yjLVkY7Hjs/K5CFTkzcZPqwJMMnGWRGZXtnY++aBMVLnfo:U4qk3/T68vaaZXeM+VZF5QZ/N4l6HQC
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1400 dw20.exe Token: SeBackupPrivilege 1400 dw20.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2828 wrote to memory of 876 2828 07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe 90 PID 2828 wrote to memory of 876 2828 07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe 90 PID 2828 wrote to memory of 876 2828 07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe 90 PID 2828 wrote to memory of 1400 2828 07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe 103 PID 2828 wrote to memory of 1400 2828 07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\07bd0e8cd65f3671801780525b763f21_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:876
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 13962⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵PID:5044