Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe
-
Size
659KB
-
MD5
1a706d5383c7092d51ca8e7f12530649
-
SHA1
4aa83450fdc8e594697ea541518949c2a04bb7b0
-
SHA256
81d522b210d792d32e3d44735e3c7c39a57eae172f5520fa4b55ed1007efdea0
-
SHA512
406626bb597e60325fcd168eeaca763b27cf7bd206ecf3cc2a253d54a80934d0b10616a3cb92fd67c91bfa04417ede23c07054f0d3a8d87f210cc5d958330cf4
-
SSDEEP
12288:d5RdOR3PHKhGLxe0DA8PSTRK8AYHv1L8qKtZTln7NEakAR8+JU/w:H3OR3PHKux7DA8PMfrHUtZhnxEa9R8tY
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\e57d522.dll" 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
pid Process 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 3284 svchost.exe 3224 rundll32.exe -
resource yara_rule behavioral2/memory/1564-13-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect behavioral2/files/0x000900000002363b-10.dat vmprotect behavioral2/memory/3284-19-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect behavioral2/memory/3224-21-0x00000000755F0000-0x0000000075779000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\e57d522.dll 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3224 rundll32.exe 3224 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3284 wrote to memory of 3224 3284 svchost.exe 93 PID 3284 wrote to memory of 3224 3284 svchost.exe 93 PID 3284 wrote to memory of 3224 3284 svchost.exe 93 PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 94 PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 94 PID 1564 wrote to memory of 3212 1564 1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a706d5383c7092d51ca8e7f12530649_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1A706D~1.EXE" > nul2⤵PID:3212
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ".Net CLR"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\e57d522.dll, Launch2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4192 /prefetch:81⤵PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
371KB
MD5e4060e2410ea64e00f85d83bfb137bfb
SHA1f230ecb9b0d8bc88ec0f82ce74c80143b2e5458a
SHA256fe30c3f8c5e47e7a9b51404357dd96281062f08ff6a2230f1edf5f807bd43c75
SHA51283a518435605bd7b7150539061dfb8b63da24cbc59c9d4db909120314e4eae24a0cb1e675b52c4567365f261d9bc6cda54a6a901b243d40b0f3238ad1e3175dd