Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 13:18
Static task
static1
Behavioral task
behavioral1
Sample
1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
-
Size
192KB
-
MD5
1a444756aac5041a41cc00e6819153a6
-
SHA1
5e177a7ebaa2cc983a2bb0951712916fd0985e21
-
SHA256
5a149525bb861d9640082adb4e845e384a909b58737e1a7becb0048743777d0e
-
SHA512
46762924d836066ebdbf62a7787acc730c0afba99b12d07b086303ba93379d200619814ae39437aa30f15bf14b29098e051707498afbfbd30c9e88ef7637219d
-
SSDEEP
3072:yPKJnMKJfOydUlIyVcsj5RXQhw0AE6TsuZfs:yiJsy+eyu+XSAnwuZk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2772 cojywr.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\gcojy cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gcojy cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\gcojy\\command cojywr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node cojywr.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 924 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1256 wrote to memory of 3664 1256 1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe 81 PID 1256 wrote to memory of 3664 1256 1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe 81 PID 1256 wrote to memory of 3664 1256 1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe 81 PID 3664 wrote to memory of 2772 3664 cmd.exe 83 PID 3664 wrote to memory of 2772 3664 cmd.exe 83 PID 3664 wrote to memory of 2772 3664 cmd.exe 83 PID 3664 wrote to memory of 924 3664 cmd.exe 84 PID 3664 wrote to memory of 924 3664 cmd.exe 84 PID 3664 wrote to memory of 924 3664 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eaunujy.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\cojywr.exe"C:\Users\Admin\AppData\Local\Temp\cojywr.exe"3⤵
- Executes dropped EXE
- Modifies registry class
PID:2772
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:924
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD5277a5f822b3450e670c6e81bed9ba51d
SHA1f0cba07e9b084c341090f8cc506c8638e5577700
SHA2562237a913a9b57afe24530302df127cdefc057834e26b85b10ede78dc66cf957d
SHA5122085e000fddba74bba82b2fe23752803f0a0fbba1d3337c9f6c15d600e0a68c5f179d1f3165559e8be7a313552a55e1c71f361d711a1dbcf4734dafa2df1e042
-
Filesize
124B
MD5e8eadcf1ee7cf4d18be4faee1d281255
SHA19250979a434e755521b5ace94444ce5f22c8caf7
SHA256e760f3894cc45d1f49c6509e18c157eedba3c7647ed6580db3fb8217ff3c14f9
SHA51210ef41945223dc8edc28ecc2fa1b7dc7e5a775279ddfb7324c2a812aeb6f330c7fd70590e44e616b237d9150bf0ae77198ab58fe2b6129fe9c1d0d60c94e0621
-
Filesize
170B
MD5bb2ec21231f81a4d7f0fc2b74123df75
SHA121791df705bb3ecd92cc175eae3be5e059a26bad
SHA256394eab6d6d578d740c6f7b22a5992fd11c874b3547022f3c3ba9957bd1d53307
SHA51284e2071a8edffbb9fe18e3eba731aed7e16bb718184735a57a9a1e10bf0b4e8d5236bc29a75e2ea6b8447461040bbaeb1486cea5cf7211c9078f3e4365379ca1