Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 11:38
Behavioral task
behavioral1
Sample
19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe
-
Size
117KB
-
MD5
19f9225e57aa4380b83adbdd0ff71d6d
-
SHA1
1faee1e51eabfb9734ef8347ace38c0904444a3b
-
SHA256
287e2c8578ec98e1f8d00e63be4cb296f52873e627e5ad0235b10935a10b804e
-
SHA512
586a0bf6146addb08b430aa7b5956926f0fffc00681f1f2d847205d9b7bce1df09b1b6560636b608e4e1605cafbf1c49ab7289adc5b05f9a5df1e5a5499ae566
-
SSDEEP
1536:ocNjQlsWjcd+xzl7SM+Gn824eo6KcR4mjD9r823Fo:bjr87S7Gnzbo6KcWmjRrz3+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3040 CTS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1704-0-0x0000000000CC0000-0x0000000000CD7000-memory.dmp upx behavioral1/files/0x002900000001561c-7.dat upx behavioral1/memory/1704-8-0x0000000000CC0000-0x0000000000CD7000-memory.dmp upx behavioral1/memory/3040-11-0x0000000000880000-0x0000000000897000-memory.dmp upx behavioral1/files/0x000f0000000126f7-15.dat upx behavioral1/memory/3040-18-0x0000000000880000-0x0000000000897000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1704 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe Token: SeDebugPrivilege 3040 CTS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3040 1704 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3040 1704 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3040 1704 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3040 1704 19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19f9225e57aa4380b83adbdd0ff71d6d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD524c798268ae29a1a943956ca5bf79b8f
SHA16d5bf7918bbcfa185d3ae2506055ff1d01c02bf0
SHA25667247395434abb826d5548adb6c7e1eee7bc39a5fd68f3905c93f614e9ed8402
SHA5124b3c259456ff17de54abd08bbfe9cbd74e79d709e9da32445758cbea0d82c2ff27f3f68a2fec48d2ac6678ed64b243a7a80eec98978a6266a4ee6648a678b4d3
-
Filesize
117KB
MD590560322e00c64a66ef2099f55ff1f09
SHA11404109a21e4656daa9dc570c32e6385b6634344
SHA25669346cf100b44fce4b64c433efc47601922b255c5d4182f4ecf1fcff1ca05bf4
SHA512164e6e7654b55727940b212d56df47043f11e612b04cdfbc4c33ad455bbb5b1cece3882acc944cd526f3c5dcd519bcd1d01a3d796e95902bfc680f51dfe74f61