Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
-
Size
208KB
-
MD5
2423171cb88f7063942c4d30dd8f76db
-
SHA1
f506f4a108ff0ad25cf4bbd8f4dca01cd84ef675
-
SHA256
b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a
-
SHA512
1df92c7f851ad254381006d3239159451a48fec5ba14516692c055e6014db07f172812a53ae3d20943e8b788d693e175808350d265498674d267809ca8a6539e
-
SSDEEP
1536:PDlTsrr7iKpTdx01CninHK0BtUwQTSO3uhldDNhJahnZfh972/n9KEsquXNangJi:9SK2/0Un0K0BLvO4nDmokSto2
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\uwickwksa.dat pt.exe -
Executes dropped EXE 2 IoCs
pid Process 1796 pm.exe 2716 pt.exe -
Loads dropped DLL 4 IoCs
pid Process 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wsconfig.db pt.exe File created C:\Windows\SysWOW64\imm32.dll.bak pt.exe File created C:\Windows\SysWOW64\imm32.dll pt.exe File created C:\Windows\SysWOW64\kb1841194.dll pt.exe File opened for modification C:\Windows\SysWOW64\kb1841194.dll pt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\system\pm.exe 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe File opened for modification C:\WINDOWS\system\pt.exe 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2716 pt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2716 pt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 1796 pm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1796 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 28 PID 1636 wrote to memory of 1796 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 28 PID 1636 wrote to memory of 1796 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 28 PID 1636 wrote to memory of 1796 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 28 PID 1636 wrote to memory of 2716 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 29 PID 1636 wrote to memory of 2716 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 29 PID 1636 wrote to memory of 2716 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 29 PID 1636 wrote to memory of 2716 1636 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 29 PID 2716 wrote to memory of 2812 2716 pt.exe 30 PID 2716 wrote to memory of 2812 2716 pt.exe 30 PID 2716 wrote to memory of 2812 2716 pt.exe 30 PID 2716 wrote to memory of 2812 2716 pt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\WINDOWS\system\pm.exeC:\WINDOWS\system\pm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\WINDOWS\system\pt.exeC:\WINDOWS\system\pt.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\delf762b45.bat3⤵PID:2812
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD5b8bd12b0caf13ca16aeb3bcf529eebef
SHA125e26f9be22b597fc756234c88367deb63a8b129
SHA256f240cc4076abfd6af09300ff2a3de7a0f93ea9102122b8dd86def5ce8dbd3906
SHA512bf1ed887e78fdb3bf7f69f0fcd583ec0e5ad93c83561b142a61eafe66eefdc087e0616d700d03dd39680cb4bb49d66059a70bd5906d32ab9271c47a6432fe83b
-
Filesize
13KB
MD590a88f8901863fb5cd511bec0573ea73
SHA19f613a65246230ffceb9db77165219686d00bb03
SHA256f68b882a136314c5263b7f8b0e348cc00be742273302e315d570bc0389b2b803
SHA51228e3595c295b2a8de2661eaa1de7b4837e5da5ca5ab59c9a16f3527b3e1d8f7af05f069a206275b2bee2ec257f85267232a83023d9ef091a3db2020bc14c7ac1
-
Filesize
115B
MD5c8e578a1355e57493e68854a00480416
SHA1e60e87dd78cf2d44dff87c54d3f5679c0349f461
SHA25681344fd47c60d455033257758dfe3b6d60d297c7d327bc24f310deb2e024a3a3
SHA512a0f39aaed63a45756b827ce335ee0e8bdc739fa7026c3b70c8486c993683cd4706186e239b88009c4e61d3f14115411f3d5ce69dc971914e98da831efee9fbd9
-
Filesize
168KB
MD5646c4713aa658d4dcc175efd717f71e8
SHA133aeaf80c541fca2a49883bacc1c0d4ceffe9b0b
SHA25666b832132dd451af542aa875297cd63c7609d6efe2760eea38298e370c94478d
SHA512aab93f9c9009b08a582cc0ccaef623c94a98b83fd2f53aa23f8476ee686bcde1ed49e9e27f7b1d69f3e9f7192ea2453e120991046a567029a9e3980af58cd61d