Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe
-
Size
453KB
-
MD5
0eee3ca8773665d14f51432cbf73f218
-
SHA1
912761e48688324c1ce28703a5b62d21c8754abc
-
SHA256
a9cc91878ab919d2914d8886677be0c931b7b6c537c817502dc236d2fb99c9b7
-
SHA512
21fdda54a89c02c576e27ae9c09a3dac2f5b59f6bb4c04de287d08cd501042d7b276798f849c0cd220635558bbbfc8c6d3e7e30716b9a85a65500426c5ddf037
-
SSDEEP
12288:MNAynmjY95VEM5XJFsalapOJocM4GTOJ6cdH:htjMVl5XJ++MpTI6W
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4484 KAV key.bat -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\KAV key.bat 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe File opened for modification C:\Windows\KAV key.bat 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe File created C:\Windows\GUOCYOKl.BAT 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 772 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe Token: SeDebugPrivilege 4484 KAV key.bat -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4484 KAV key.bat -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4484 wrote to memory of 4436 4484 KAV key.bat 90 PID 4484 wrote to memory of 4436 4484 KAV key.bat 90 PID 772 wrote to memory of 5056 772 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe 95 PID 772 wrote to memory of 5056 772 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe 95 PID 772 wrote to memory of 5056 772 0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0eee3ca8773665d14f51432cbf73f218_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT2⤵PID:5056
-
-
C:\Windows\KAV key.bat"C:\Windows\KAV key.bat"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:4436
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5f474dfc174104fedb7496f3aea41a0f1
SHA1617ab6f41352229239eb1879a235e9196558eb90
SHA256683ae1c752580e0a580c617fad236b9cadecda3ef8e3d7216a19152cbb5407aa
SHA512d72c71a9816781ffa2d36dc92737f702b3eeef1358a68544b277301e581bc186e3a71097da9f631fe311c3a0bda132b5fa8418c1fa7531ad3313e49cc163edb9
-
Filesize
453KB
MD50eee3ca8773665d14f51432cbf73f218
SHA1912761e48688324c1ce28703a5b62d21c8754abc
SHA256a9cc91878ab919d2914d8886677be0c931b7b6c537c817502dc236d2fb99c9b7
SHA51221fdda54a89c02c576e27ae9c09a3dac2f5b59f6bb4c04de287d08cd501042d7b276798f849c0cd220635558bbbfc8c6d3e7e30716b9a85a65500426c5ddf037