Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 01:13
Behavioral task
behavioral1
Sample
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe
-
Size
57KB
-
MD5
183e8c64a62fd2b191020582f600c6e0
-
SHA1
92d38d474e66032933b80f1061c5433d96d593eb
-
SHA256
e31639872d99773ca6a3191b458569712a471e8078a49ee2f8fb57e1fbd8c0a3
-
SHA512
dc045f3cfe2011eca0e821784d982f4a0e623ef46f56133d36e9ec4a00cd8794c03435aa4cee72266d0e0529a9a304e4bbd776b46824f5d12bde47b7cddf4378
-
SSDEEP
1536:v9a+osleo1o2qE/kGG7iuy/1KZBV66WpOY/5Jp/WW:Vvo27Nvuy/1Kh66WpOY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3452 SQLTools.EXE -
resource yara_rule behavioral2/memory/2180-0-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/files/0x000900000002363b-4.dat upx behavioral2/memory/1516-5-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1516-10-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/1516-9-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/2180-12-0x0000000010000000-0x000000001002A000-memory.dmp upx behavioral2/memory/3452-8-0x0000000010000000-0x000000001002A000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3452 set thread context of 1516 3452 SQLTools.EXE 91 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\SQLTools.EXE 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe File created C:\Program Files\SQLTools.EXE 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1516 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe Token: SeDebugPrivilege 3452 SQLTools.EXE Token: SeDebugPrivilege 1516 ipconfig.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2180 wrote to memory of 3452 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 90 PID 2180 wrote to memory of 3452 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 90 PID 2180 wrote to memory of 3452 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 90 PID 3452 wrote to memory of 1516 3452 SQLTools.EXE 91 PID 3452 wrote to memory of 1516 3452 SQLTools.EXE 91 PID 3452 wrote to memory of 1516 3452 SQLTools.EXE 91 PID 3452 wrote to memory of 1516 3452 SQLTools.EXE 91 PID 3452 wrote to memory of 1516 3452 SQLTools.EXE 91 PID 2180 wrote to memory of 3748 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 92 PID 2180 wrote to memory of 3748 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 92 PID 2180 wrote to memory of 3748 2180 183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files\SQLTools.EXE"C:\Program Files\SQLTools.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\ipconfig.exeC:\Windows\SYSTEM32\ipconfig.exe3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\183e8c64a62fd2b191020582f600c6e0_JaffaCakes118.exe"2⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4268,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:81⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5183e8c64a62fd2b191020582f600c6e0
SHA192d38d474e66032933b80f1061c5433d96d593eb
SHA256e31639872d99773ca6a3191b458569712a471e8078a49ee2f8fb57e1fbd8c0a3
SHA512dc045f3cfe2011eca0e821784d982f4a0e623ef46f56133d36e9ec4a00cd8794c03435aa4cee72266d0e0529a9a304e4bbd776b46824f5d12bde47b7cddf4378