Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 01:13
Behavioral task
behavioral1
Sample
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
-
Size
57KB
-
MD5
183e8c64a62fd2b191020582f600c6e0
-
SHA1
92d38d474e66032933b80f1061c5433d96d593eb
-
SHA256
e31639872d99773ca6a3191b458569712a471e8078a49ee2f8fb57e1fbd8c0a3
-
SHA512
dc045f3cfe2011eca0e821784d982f4a0e623ef46f56133d36e9ec4a00cd8794c03435aa4cee72266d0e0529a9a304e4bbd776b46824f5d12bde47b7cddf4378
-
SSDEEP
1536:v9a+osleo1o2qE/kGG7iuy/1KZBV66WpOY/5Jp/WW:Vvo27Nvuy/1Kh66WpOY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2652 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1680 SQLTools.EXE -
Loads dropped DLL 2 IoCs
pid Process 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2740-0-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/files/0x000e00000001214d-2.dat upx behavioral1/memory/1680-10-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2948-16-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2948-20-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/1680-19-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2948-21-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2948-22-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral1/memory/2740-24-0x0000000010000000-0x000000001002A000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1680 set thread context of 2948 1680 SQLTools.EXE 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\SQLTools.EXE 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe File created C:\Program Files\SQLTools.EXE 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2948 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe Token: SeDebugPrivilege 1680 SQLTools.EXE Token: SeDebugPrivilege 2948 ipconfig.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2740 wrote to memory of 1680 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 28 PID 2740 wrote to memory of 1680 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 28 PID 2740 wrote to memory of 1680 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 28 PID 2740 wrote to memory of 1680 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 28 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 1680 wrote to memory of 2948 1680 SQLTools.EXE 29 PID 2740 wrote to memory of 2652 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2652 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2652 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 30 PID 2740 wrote to memory of 2652 2740 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files\SQLTools.EXE"C:\Program Files\SQLTools.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\ipconfig.exeC:\Windows\SYSTEM32\ipconfig.exe3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5183e8c64a62fd2b191020582f600c6e0
SHA192d38d474e66032933b80f1061c5433d96d593eb
SHA256e31639872d99773ca6a3191b458569712a471e8078a49ee2f8fb57e1fbd8c0a3
SHA512dc045f3cfe2011eca0e821784d982f4a0e623ef46f56133d36e9ec4a00cd8794c03435aa4cee72266d0e0529a9a304e4bbd776b46824f5d12bde47b7cddf4378