Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe
-
Size
801KB
-
MD5
1a2f1f0bb3014b6dc2e4cba0c38f3a3d
-
SHA1
eae4fb7d04d59d0a50762fc5f85884a38e7d74cb
-
SHA256
ff7174e43019569d1174b91d7723b6e9e6704fda530556af68852cb4dcdb1838
-
SHA512
b76b48a7802eb8edbffbb1188df0f80a47f8e4a5efb0dd676ee9809f30ddc37edf049bb949b1cd0d808e84d6034c47c0590405e149505c18a20b06ba20c37625
-
SSDEEP
24576:/c//////Af9RhVlO5KfQDRCDxEgkasgiOREXqaf7fs5qZFJ+:/c//////AfThvfY1CD6asg6XXfLdo
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1444 21.exe 3136 an.exe -
resource yara_rule behavioral2/files/0x000800000002356b-6.dat vmprotect behavioral2/memory/3136-10-0x0000000000400000-0x00000000005E5000-memory.dmp vmprotect behavioral2/memory/3136-11-0x0000000000400000-0x00000000005E5000-memory.dmp vmprotect behavioral2/memory/3136-21-0x0000000000400000-0x00000000005E5000-memory.dmp vmprotect -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3136 an.exe 3136 an.exe 3136 an.exe 3136 an.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2500 wrote to memory of 3236 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 82 PID 2500 wrote to memory of 3236 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 82 PID 2500 wrote to memory of 3236 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 82 PID 2500 wrote to memory of 3640 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 84 PID 2500 wrote to memory of 3640 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 84 PID 2500 wrote to memory of 3640 2500 1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe 84 PID 3236 wrote to memory of 1444 3236 cmd.exe 87 PID 3236 wrote to memory of 1444 3236 cmd.exe 87 PID 3236 wrote to memory of 1444 3236 cmd.exe 87 PID 3640 wrote to memory of 3136 3640 cmd.exe 86 PID 3640 wrote to memory of 3136 3640 cmd.exe 86 PID 3640 wrote to memory of 3136 3640 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a2f1f0bb3014b6dc2e4cba0c38f3a3d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\\21.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\21.exeC:\Users\Admin\AppData\Local\Temp\\21.exe3⤵
- Executes dropped EXE
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\\an.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\an.exeC:\Users\Admin\AppData\Local\Temp\\an.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3136
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD53411daacd28adcc3e8777df9f0e55b68
SHA1f3caa6baf64a8c83d0c46a4d6df1e603911f9852
SHA25641b5098d4d30c6888f70ccfb03c92595ffb846a87a00b7a202e8e7c0fe029e23
SHA512e1888ad1e9e53bd148b47d498a62172a13752e61beebfcc74f0e7eb2f29037a72487937ce84d29b02bd7692f2afd606ca803fbd36873ae3a73e05e2e2430f730
-
Filesize
736KB
MD526618be6175e6ed1cc028978ba151495
SHA1cb8b553bcffcb51bdce08ca3dca3200a8c8bcaec
SHA25665c2c9086008da3d00e9574cdb9f7415e3f4f105d931531e65a89df63db0099f
SHA5127d4bc1890f92065c84b60ab6bb48729d9730eef7a39ee937150582617bc3ed630e0fee9e350d6f3ef7b9032d11821b455c64d775b518b9eebd41446e1f097546