Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe
-
Size
20KB
-
MD5
0e164845833decea7bcf5ea7ff3f68de
-
SHA1
84cde72064677e0e76eba4ee3e040244b1197cd9
-
SHA256
3ddcdf2d0e1afa87ca2b55d96775691cd33a31bd84543ee1081488bd7f99eed9
-
SHA512
1befd80db6ecd968b84cdef3a6f919ae79a2209da8c3a6bfa6a2f0bb939871b7695cce2af3023c9445aab071ca372631255a0da13ec654c61234b282a5f995a4
-
SSDEEP
384:PU398UjtZC+tBagAlugVRyuOS3E8/kWzfzwdH2zS7EY6U0Qtd:q91vMlugVTBESTzwozkEY6U5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3740 Sysmsge.exe -
Loads dropped DLL 1 IoCs
pid Process 3740 Sysmsge.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysmon.dll 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sysmsge.exe 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 3740 Sysmsge.exe 3740 Sysmsge.exe 3740 Sysmsge.exe 3740 Sysmsge.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3924 wrote to memory of 3740 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 82 PID 3924 wrote to memory of 3740 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 82 PID 3924 wrote to memory of 3740 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 82 PID 3924 wrote to memory of 2624 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 83 PID 3924 wrote to memory of 2624 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 83 PID 3924 wrote to memory of 2624 3924 0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e164845833decea7bcf5ea7ff3f68de_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Sysmsge.exe"C:\Windows\system32\Sysmsge.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0E1648~1.EXE > nul2⤵PID:2624
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5a454d8e984fa9dee17d92b7cd0ddc557
SHA11a0836cd4538bcaae05968430c9a401b07b8ad7e
SHA25615f83d14eaa7ffeedf1d251f7e84c2668245278f71d4a3deab5a16afb43a7731
SHA51227d62aff81f6159b466a9dbd31bfae8cceb00d1d540a1340fe2bed73d2c2bf62dc354a17fe876c615ebf8cb953ef212a0186299cf38d0c6cdc1d58951c55f41f
-
Filesize
20KB
MD507bc73c1bd4b6658cef9130603b62569
SHA179270b1d53542a33da395b5c91d8850ae7c99928
SHA25688005a77b27e7a685381adca91b577e5678f40dfdce66c45cb1a8b5ba2068e56
SHA51256c12c1a3c51f673bd9785cd0e667aa6316043d9ebfcf7b760f6b82b538219a796a82f2aa57f74075410e33618d88bb5bc8144e0a743de03324e14ee3e6f467b