Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 09:06
Behavioral task
behavioral1
Sample
0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe
-
Size
62KB
-
MD5
0d7b33db1f531966add6c065885a5501
-
SHA1
cd7e136a587ecfa164010042540b2aac44ebb81c
-
SHA256
897611a1fd6a2ff93247a0758f06ce5c34a06b50a859de487d10cd7d58d243f7
-
SHA512
a12f4ad98db107cca8e9824f7ba7e48004a2c837fb43fee1e52aea95cb2f01341c2970558b410cc78286502606af8be82e85882544a8d68a760327b4581e3df8
-
SSDEEP
768:t4xjgvZqw6axPo6qcHMV4+ZC7d9443l/kJ/MUTW+cieBN2QOx2jqpoINN6fTjiAt:6SvZqNMPo3cHH5dk7TWkeBoTYqpqf0O
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\McaFee virus detect program. = "c:\\Program Files\\Network Associates\\VirusScan\\McaUpdate.exe" 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe -
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys cmd.exe File created C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfolzw.sys 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpnetinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\inc\Rijtoovxhpinfo.sys cmd.exe -
resource yara_rule behavioral2/memory/4932-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4932-2-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/memory/4932-22-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 1584 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4472 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1908 ipconfig.exe 1568 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2316 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1568 NETSTAT.EXE Token: SeDebugPrivilege 4472 tasklist.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 4932 wrote to memory of 3524 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 80 PID 4932 wrote to memory of 3524 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 80 PID 4932 wrote to memory of 3524 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 80 PID 4932 wrote to memory of 3776 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 82 PID 4932 wrote to memory of 3776 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 82 PID 4932 wrote to memory of 3776 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 82 PID 3776 wrote to memory of 1908 3776 cmd.exe 84 PID 3776 wrote to memory of 1908 3776 cmd.exe 84 PID 3776 wrote to memory of 1908 3776 cmd.exe 84 PID 3776 wrote to memory of 1584 3776 cmd.exe 85 PID 3776 wrote to memory of 1584 3776 cmd.exe 85 PID 3776 wrote to memory of 1584 3776 cmd.exe 85 PID 3776 wrote to memory of 1568 3776 cmd.exe 93 PID 3776 wrote to memory of 1568 3776 cmd.exe 93 PID 3776 wrote to memory of 1568 3776 cmd.exe 93 PID 3776 wrote to memory of 2316 3776 cmd.exe 94 PID 3776 wrote to memory of 2316 3776 cmd.exe 94 PID 3776 wrote to memory of 2316 3776 cmd.exe 94 PID 4932 wrote to memory of 2264 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 97 PID 4932 wrote to memory of 2264 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 97 PID 4932 wrote to memory of 2264 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 97 PID 2264 wrote to memory of 4732 2264 cmd.exe 99 PID 2264 wrote to memory of 4732 2264 cmd.exe 99 PID 2264 wrote to memory of 4732 2264 cmd.exe 99 PID 4732 wrote to memory of 856 4732 net.exe 100 PID 4732 wrote to memory of 856 4732 net.exe 100 PID 4732 wrote to memory of 856 4732 net.exe 100 PID 2264 wrote to memory of 4472 2264 cmd.exe 101 PID 2264 wrote to memory of 4472 2264 cmd.exe 101 PID 2264 wrote to memory of 4472 2264 cmd.exe 101 PID 4932 wrote to memory of 1060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 102 PID 4932 wrote to memory of 1060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 102 PID 4932 wrote to memory of 1060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 102 PID 1060 wrote to memory of 4348 1060 cmd.exe 104 PID 1060 wrote to memory of 4348 1060 cmd.exe 104 PID 1060 wrote to memory of 4348 1060 cmd.exe 104 PID 4932 wrote to memory of 3584 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 105 PID 4932 wrote to memory of 3584 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 105 PID 4932 wrote to memory of 3584 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 105 PID 3584 wrote to memory of 680 3584 cmd.exe 107 PID 3584 wrote to memory of 680 3584 cmd.exe 107 PID 3584 wrote to memory of 680 3584 cmd.exe 107 PID 4932 wrote to memory of 4464 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 108 PID 4932 wrote to memory of 4464 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 108 PID 4932 wrote to memory of 4464 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 108 PID 4464 wrote to memory of 1224 4464 cmd.exe 110 PID 4464 wrote to memory of 1224 4464 cmd.exe 110 PID 4464 wrote to memory of 1224 4464 cmd.exe 110 PID 4932 wrote to memory of 5060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 111 PID 4932 wrote to memory of 5060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 111 PID 4932 wrote to memory of 5060 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 111 PID 5060 wrote to memory of 920 5060 cmd.exe 113 PID 5060 wrote to memory of 920 5060 cmd.exe 113 PID 5060 wrote to memory of 920 5060 cmd.exe 113 PID 4932 wrote to memory of 888 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 114 PID 4932 wrote to memory of 888 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 114 PID 4932 wrote to memory of 888 4932 0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe 114 PID 888 wrote to memory of 2576 888 cmd.exe 116 PID 888 wrote to memory of 2576 888 cmd.exe 116 PID 888 wrote to memory of 2576 888 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d7b33db1f531966add6c065885a5501_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "del C:\Windows\system32\drivers\inc\HPsys\*.* /q"2⤵PID:3524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig -all >C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & net view >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & netstat -an >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & systeminfo >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\ipconfig.exeipconfig -all3⤵
- Gathers network information
PID:1908
-
-
C:\Windows\SysWOW64\net.exenet view3⤵
- Discovers systems in the same network
PID:1584
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "net start >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & tasklist /svc >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir c: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys & dir d: >>C:\Windows\system32\drivers\inc\Rijtoovxhpnetinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:856
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /svc3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree C: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\tree.comtree C: /F /A3⤵PID:4348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree D: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\tree.comtree D: /F /A3⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree E: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\tree.comtree E: /F /A3⤵PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree F: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\tree.comtree F: /F /A3⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tree G: /F /A >>C:\Windows\system32\drivers\inc\Rijtoovxhpinfo.sys"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\tree.comtree G: /F /A3⤵PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5632f2c476aae0fbe08304d1bdbf3da90
SHA1e4db5877a0d2ee915370dd9f64963c177239384b
SHA256f11982e6e0466b86eaa121d538116dfccb23f27ed27f8a5f1b6473995afec8d2
SHA512c414cab0484dd75ef23278138367523b90d0009695cea19a920352da66ac6dbaad8dd6c4d8525bfe8c9a80c57950ce08c424154dce084a0448b7fff24bdfdaac
-
Filesize
2KB
MD5f2b6a5c7f4f3c97873a47ff720aafe5a
SHA149aca91572e049e6a3fe1cb4729a4f6c2cc98ff6
SHA25616e9ee878b851bf3991c004afe13038cf11e759e50e25dbf94112f794aee5c89
SHA512943590a35d9f87ee1eba82d831089b87af1c417402b981500f8df8170be98da41de6583b5a3f65f9633c4706d1a742e5678c35a54e8832e3b876d950f450125f
-
Filesize
2KB
MD5a3d71265a9d540907d1a4f62c4e733b3
SHA1c57c388dd731c4dac11b1fa13bdfb7ee1117e3c0
SHA256ae86651c1f0e2f64069571904d7030a8d79656aa235e1070357176408dcbf5e2
SHA512b4c60060eaa04754aea2b864894fb9cb2d8c6c36fa5e19aa7a915ae8eba72329bbb910476d8300d5f8f5e49947f8bb47549a75d563edb95aaa2e8d1cac37f8d4
-
Filesize
2KB
MD57cd364c5a25b8847cd1ec92d4406825a
SHA110a46a37738c693ee0cbb9d9090cd3b16985219e
SHA25651512e0957b67b3bf83969f52ca08ce0661ba4e981a93936b5d6f8a94b874810
SHA512e348af35be61ac6b109298bd4157ed46aba0ed1a5bafddd2c35e118752febcf51268337ef2a1d6149373bfb7efff989b3d0ea353ca1f3c835782398b7fcd4c01
-
Filesize
2KB
MD560d2d4573c106a570ebde1522121eeef
SHA19353a111b7a73c5c1b3b2e0903788aa9ecdf009c
SHA25684bbc9ac9f523427ab730a2dbd71f5ca20d7248a23102966a4fafc52cec636aa
SHA5126aff6e003675a89e42f48f8e1dd60c089356b78879e4e4bd4ad1484152e3f2a95ea4ca8049721c343c7d7de4d3121fe84a3f15a1f4be65f7d6a3f5b8fcefd6ab
-
Filesize
6KB
MD5eb92329e953e7a76cb7f1638e462b644
SHA15f16be44bd78684bfd3139550dc6439fa74ea37e
SHA256a48bf1d350434906ed40a5a40d93a44fc6e1fee595c63b06765d4b8fd70c39be
SHA51220bd6ad39356c4f5d8519c1169dbbbc99e73373cca9b582379ee4f862e25981bdbdef5a9c7253f35e0e1350958b7cd909ba310409ba36378ebf27136e4bc926a
-
Filesize
19KB
MD51b4326f8176e19eb3c20b3b8e1277adc
SHA14eae3fd83fc46b032f5c2693260a8481917c01c9
SHA256254f471bded492401a07bc19b344a0c5654e00cb8ddad75b61eb63504254f848
SHA5120b13731a691cb2b37b71c313a1360b375ab5620fbf09622a814a0cea484b7f2c819c5989257f8d7b18f68f5ee0c240a5611f10a291c32f9dbe3c586998f18c73