Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 07:47
Behavioral task
behavioral1
Sample
21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe
-
Size
502KB
-
MD5
21966b15bbb4957362df4553e5d9c342
-
SHA1
7f7fac5c779f1533ecab9b7642f5b773ec7effc7
-
SHA256
d2d4bd955a4207b39aee701613f9b28773d6e643842b100c7052825e82c7a47e
-
SHA512
42940fab792ce9fc669d3826b31d2f9fb34e2864c133d5230c703b1af601afe0e2cd8beaf90390bec8a2bcde802ca957c1e0715736eb485856bccc313591e697
-
SSDEEP
6144:Lp/bGrl1gl2y54R5k0gfNqQZatB1VzVYPjgxajb1DKr0qFdF+KjZaQMIhL:Lp/ul1glRuO8AatFzVYPjNjZKTFdx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2060 Lcojia.exe -
resource yara_rule behavioral2/memory/3940-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/3940-1-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/files/0x000700000002341e-11.dat upx behavioral2/memory/2060-15-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe File created C:\Windows\Lcojia.exe 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe File opened for modification C:\Windows\Lcojia.exe 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Lcojia.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Lcojia.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 57320 2060 WerFault.exe 81 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main Lcojia.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe 2060 Lcojia.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2060 Lcojia.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3940 wrote to memory of 2060 3940 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe 81 PID 3940 wrote to memory of 2060 3940 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe 81 PID 3940 wrote to memory of 2060 3940 21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21966b15bbb4957362df4553e5d9c342_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\Lcojia.exeC:\Windows\Lcojia.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 9963⤵
- Program crash
PID:57320
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2060 -ip 20601⤵PID:57192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD521966b15bbb4957362df4553e5d9c342
SHA17f7fac5c779f1533ecab9b7642f5b773ec7effc7
SHA256d2d4bd955a4207b39aee701613f9b28773d6e643842b100c7052825e82c7a47e
SHA51242940fab792ce9fc669d3826b31d2f9fb34e2864c133d5230c703b1af601afe0e2cd8beaf90390bec8a2bcde802ca957c1e0715736eb485856bccc313591e697
-
Filesize
390B
MD553d216e8ac478d9943d83505f9202d65
SHA1ecd4e5dfd35e4a5ac918ac3bd4ec35c82aa67401
SHA2565d242361dfc98598b62876d45bf3382f16506ce9f7eff4633ab50057bbc276ad
SHA5122ba4163640d9c8c3308280c8ab578a76e2db9b97c95dec247fb427396bdff99d6a76531bac1e478755543bb303a8caee4a2123247a2471f00fb8acaa16e93c8c