Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 02:21
Static task
static1
Behavioral task
behavioral1
Sample
244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
-
Size
211KB
-
MD5
244edd040695387dfbe1e7bb5f3bafd3
-
SHA1
b95a9ba700ae3e6585414706c0fff7dfa47a856b
-
SHA256
f5a6f68917e80b40f242deaac1047997dc78dc31489f834d037b313ef648e3bc
-
SHA512
5f2e68c004148d9a4c497286cee2b729ced6e9033aaae0c4b3b64575db56a9051856cae5e1a5c0b37049efbccd0fb88876a25118842e46bff324d67ddf30924e
-
SSDEEP
3072:6GwPsm1VrwxOsf0juzv8j4P1Hr6krr4IEhx9QZe2gO9mG9UHA30Vt3E/vDjb:6G/iVkO20SFgBhxtW9mG9+Umt3Ezjb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 360 svchost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\62979b92 = "F‘¡D¶qêZLØ\x1aBŸ\x1f;¤ó\x18Õ\x1f\x1c9Í-âh±€NŸSuGo½³ß×Ö}Õ\v\f+G\u008fv\x1b\x16×_\x0e<¯Í=“ßÔ\x14Ä”V\x17$Å->uÃÖ\x13O§]öSs\u00ad\u00ad\x17ÃŽT\x05‡þ[>\x0f\a\v\x05\u008f¤%Ÿ>E+K\x1dWëÛµ¶\vS,öþÎu#ý{ÅSlçw|Î^3ël\x14ƒ¯®\u008dû\aí¥%Ó\x17¶‡ŽM\rc›MýÅ+×C–Ëöf¾Å\x13ÿ\x0fW\u009dLôs\x1dõôåoÿ7\x1c†C÷»–½÷<ÏÅï»Û瞌{\u00adÅl\x05\aÇ•/\x7fG—”\vG\x1dC\u00add„¼\x03¯§W\u009dCK\x03Õå„\u009dw¯ýÓÿ/\x0e3í‹f—§#m¦œç_žÆW3=\u008f§ütm}Uƒ•\x1ftw" 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\62979b92 = "F‘¡D¶qêZLØ\x1aBŸ\x1f;¤ó\x18Õ\x1f\x1c9Í-âh±€NŸSuGo½³ß×Ö}Õ\v\f+G\u008fv\x1b\x16×_\x0e<¯Í=“ßÔ\x14Ä”V\x17$Å->uÃÖ\x13O§]öSs\u00ad\u00ad\x17ÃŽT\x05‡þ[>\x0f\a\v\x05\u008f¤%Ÿ>E+K\x1dWëÛµ¶\vS,öþÎu#ý{ÅSlçw|Î^3ël\x14ƒ¯®\u008dû\aí¥%Ó\x17¶‡ŽM\rc›MýÅ+×C–Ëöf¾Å\x13ÿ\x0fW\u009dLôs\x1dõôåoÿ7\x1c†C÷»–½÷<ÏÅï»Û瞌{\u00adÅl\x05\aÇ•/\x7fG—”\vG\x1dC\u00add„¼\x03¯§W\u009dCK\x03Õå„\u009dw¯ýÓÿ/\x0e3í‹f—§#m¦œç_žÆW3=\u008f§ütm}Uƒ•\x1ftw" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe File opened for modification C:\Windows\apppatch\svchost.exe 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe 360 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2800 wrote to memory of 360 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 82 PID 2800 wrote to memory of 360 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 82 PID 2800 wrote to memory of 360 2800 244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe"1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
593B
MD5926512864979bc27cf187f1de3f57aff
SHA1acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b
-
Filesize
1KB
MD5a0a8e9c3671bc2ab66054b096790675e
SHA1d9f969cf6868b9c05739db308a047f989ce13827
SHA256dd02213503f3a3d2c7ae2cfdca69ac475884f1aee355ce8c53c113ff80f61ed8
SHA512e201fa979bdc1835a9a629296618483a25d80f7c620d6e24e355a4d98612945b226a6dd515e3d3924efc975f5ac4285c4b139d5074a8351fcc03a05619b871bf
-
Filesize
481B
MD521bd5d3a9c5e64bba2719850fddba97f
SHA1457f86e2c679dbcd7f8950c9a722461ca3e9691b
SHA256901d311ae0884bc66d62dc664a36be0c4286029ad508910c4af8e3225d8b23d8
SHA5127bfa461803f8f883d06f98e8732f06e95eb1179f24e2d640b337daf524b1330807d200491e7203b54af533f875a3c8ab27cbd231ce4bbe057d6779578867e8f3
-
Filesize
42KB
MD5c62ac2828d6432afd32f8ba64c98d9d7
SHA17f68ab0c0c2a3de73b0645c70246273787f067d9
SHA256ba3daba9204fa404b47bb778410f4b9681f3fd02e0d41cdb14ce345061ad128a
SHA512b2f39d3c13f1f6e1f8da417899ec5028a83f1e9a30b4340cd5cc3b39734817dbd3103546fcd9dd7d330558e77152e6f323f68bcd7b241bdfbaf352f18475b72c
-
Filesize
211KB
MD5b28e03cd84afa217caa5e00806e4019a
SHA1aa252b3e31abfbfe8ef88cb2cd3db4995bde026f
SHA256e8f824b8ac85a75292845fdfdde78b19a159ee54e5218d7b49408ed6305873d8
SHA51280b3091e52e16920dc13a627fd0ed1ac7977d33f3f586e3127cc7afa6000d1221b1450b673d9b1792f81994f4d333aa640ac503ab3305834a16d0d15d660effb