Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe
-
Size
396KB
-
MD5
22552fdf9bf05a39830e320f42dfb885
-
SHA1
e681132e6d51637a653090a9fa9493a60acbe970
-
SHA256
166a8aa00a7c8a394185fa603ef3f18397e06b3b6c3bbd97ed1fa004f823bfd1
-
SHA512
dbe06be90c11ac23f2e9e9bb246fa8f739cfd9a88cb45dd0c770ba10790b47e41051a03f240bdb59ddd1ec8e6b4f02b88faf457e712f7f9786a2d7ece766517a
-
SSDEEP
6144:CTamke9CMFWRfd04Puj9zdSXXzAepy+iA3lWzyKKihrlPIZ230s+XY+msNPEcj:yk0vo8j9zeXzDynCW2KvZ+XljPHj
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4552 hI42900KfIoI42900.exe -
Executes dropped EXE 1 IoCs
pid Process 4552 hI42900KfIoI42900.exe -
resource yara_rule behavioral2/memory/388-6-0x0000000000400000-0x00000000004F0000-memory.dmp upx behavioral2/memory/388-13-0x0000000000400000-0x00000000004F0000-memory.dmp upx behavioral2/memory/4552-15-0x0000000000400000-0x00000000004F0000-memory.dmp upx behavioral2/memory/4552-23-0x0000000000400000-0x00000000004F0000-memory.dmp upx behavioral2/memory/4552-30-0x0000000000400000-0x00000000004F0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hI42900KfIoI42900 = "C:\\ProgramData\\hI42900KfIoI42900\\hI42900KfIoI42900.exe" hI42900KfIoI42900.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2208 388 WerFault.exe 81 756 4552 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe Token: SeDebugPrivilege 4552 hI42900KfIoI42900.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4552 hI42900KfIoI42900.exe 4552 hI42900KfIoI42900.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 388 wrote to memory of 4552 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe 90 PID 388 wrote to memory of 4552 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe 90 PID 388 wrote to memory of 4552 388 22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 6082⤵
- Program crash
PID:2208
-
-
C:\ProgramData\hI42900KfIoI42900\hI42900KfIoI42900.exe"C:\ProgramData\hI42900KfIoI42900\hI42900KfIoI42900.exe" "C:\Users\Admin\AppData\Local\Temp\22552fdf9bf05a39830e320f42dfb885_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 7243⤵
- Program crash
PID:756
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 388 -ip 3881⤵PID:3324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4552 -ip 45521⤵PID:4744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD5072a3f40c1a7be9f5cdab2d21112a533
SHA14814b6b93317f774d6509e01ad2bd610a345b7e1
SHA2568793b7e47c2d00723ac71f474fa34e79f8169c9410da66d127d11f6b0642f0bb
SHA512a3365b29cafe7a4c2abbbe9bdce12c27515b6d9e103aca46c3551d857061de17e299ce636703b17aeb8bf830844340a08a6e987d32016553ef6aa42f6b5c2231