Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe
-
Size
208KB
-
MD5
2423171cb88f7063942c4d30dd8f76db
-
SHA1
f506f4a108ff0ad25cf4bbd8f4dca01cd84ef675
-
SHA256
b0385b4e7a5f9723398549305185fb246a13135bfd92574e8fc64b75a11be53a
-
SHA512
1df92c7f851ad254381006d3239159451a48fec5ba14516692c055e6014db07f172812a53ae3d20943e8b788d693e175808350d265498674d267809ca8a6539e
-
SSDEEP
1536:PDlTsrr7iKpTdx01CninHK0BtUwQTSO3uhldDNhJahnZfh972/n9KEsquXNangJi:9SK2/0Un0K0BLvO4nDmokSto2
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\uwickwksa.dat pt.exe -
Executes dropped EXE 2 IoCs
pid Process 3164 pm.exe 4652 pt.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\imm32.dll pt.exe File created C:\Windows\SysWOW64\kb18411911.dll pt.exe File opened for modification C:\Windows\SysWOW64\kb18411911.dll pt.exe File opened for modification C:\Windows\SysWOW64\wsconfig.db pt.exe File created C:\Windows\SysWOW64\imm32.dll.bak pt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\WINDOWS\system\pm.exe 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe File opened for modification C:\WINDOWS\system\pt.exe 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4652 pt.exe 4652 pt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4652 pt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 3164 pm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2060 wrote to memory of 3164 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 82 PID 2060 wrote to memory of 3164 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 82 PID 2060 wrote to memory of 3164 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 82 PID 2060 wrote to memory of 4652 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 83 PID 2060 wrote to memory of 4652 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 83 PID 2060 wrote to memory of 4652 2060 2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe 83 PID 4652 wrote to memory of 560 4652 pt.exe 84 PID 4652 wrote to memory of 560 4652 pt.exe 84 PID 4652 wrote to memory of 560 4652 pt.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2423171cb88f7063942c4d30dd8f76db_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\WINDOWS\system\pm.exeC:\WINDOWS\system\pm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3164
-
-
C:\WINDOWS\system\pt.exeC:\WINDOWS\system\pt.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\dele573856.bat3⤵PID:560
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5646c4713aa658d4dcc175efd717f71e8
SHA133aeaf80c541fca2a49883bacc1c0d4ceffe9b0b
SHA25666b832132dd451af542aa875297cd63c7609d6efe2760eea38298e370c94478d
SHA512aab93f9c9009b08a582cc0ccaef623c94a98b83fd2f53aa23f8476ee686bcde1ed49e9e27f7b1d69f3e9f7192ea2453e120991046a567029a9e3980af58cd61d
-
Filesize
13KB
MD590a88f8901863fb5cd511bec0573ea73
SHA19f613a65246230ffceb9db77165219686d00bb03
SHA256f68b882a136314c5263b7f8b0e348cc00be742273302e315d570bc0389b2b803
SHA51228e3595c295b2a8de2661eaa1de7b4837e5da5ca5ab59c9a16f3527b3e1d8f7af05f069a206275b2bee2ec257f85267232a83023d9ef091a3db2020bc14c7ac1
-
Filesize
115B
MD54638ab4058e6ccdd8a7a87fa1a8de930
SHA1b1cd02b98ace9249e32286d25fa72ffc0bae0ba7
SHA256c252fa28eb1efaf195dc2e9d90e0f9ca320a5f4eb63114e07df62992231ec60a
SHA5121b518965c681c983e69c3de9643680521ace5b753233a60f6d2e364357404c4efa9fffad6062630ef3e2b54fd4d4e2f61a9e9681c7707a6e0d871cb8452be581