Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
-
Size
356KB
-
MD5
1ac1e3a0c3a89b9b68edd643cbd31c84
-
SHA1
1cf6e58fdbe469fd407c609b1d8fb937dc19beb7
-
SHA256
465df717a695839c99130b55a93d42a45c1c9102d9c31d6268635e188246c11c
-
SHA512
55132fe4f5c2461a7e23917553d41ba43e999506109aaab2e9633f3b843f8b21a320354262a24a2cb47c99038a36863d26c45e6d8382d5fca625a4f7027f18e5
-
SSDEEP
6144:kYfr7UVj6F1KvDTFISAW1RJd0WvDQFY3/T9tofBTaEmHjKZHSwFj+jo:VsW3KvDTDf0SMFYPZufBTzIjy5+jo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1148 aaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1148 aaa.exe 1148 aaa.exe 1148 aaa.exe 1148 aaa.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4804 wrote to memory of 1148 4804 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 81 PID 4804 wrote to memory of 1148 4804 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 81 PID 4804 wrote to memory of 1148 4804 1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe 81 PID 1148 wrote to memory of 3540 1148 aaa.exe 56 PID 1148 wrote to memory of 3540 1148 aaa.exe 56 PID 1148 wrote to memory of 3540 1148 aaa.exe 56 PID 1148 wrote to memory of 3540 1148 aaa.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD577e68babe788ba43cd5183f018a475b9
SHA162ddae924e02c6f58b48afd4537b89fb4ef23927
SHA25687d409caf5d3f8981a4ae7e927525b70a7d97d168cba16bdf38baaf76b6e24f8
SHA5124336f228422768d954d1391cf560e0ff1156b71decff7ed2501690fa8dc4ca4d32d7c2bbe4c4050d6ddcc9bed55895a0aa1bc0a430003a1a4743b53866ed9fb3