Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 20:05
Static task
static1
Behavioral task
behavioral1
Sample
261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe
-
Size
876KB
-
MD5
261736c56c3947ccedc5e375b676b958
-
SHA1
9c4051e84983495ad136525222f82590a8d6b046
-
SHA256
62b9848f9eb468669b45b9f8daf1d2a6e89e279e7f7265c923ca4ce04f6e03cb
-
SHA512
1ff784ad21a9f31278ccc6fe17098b39264a15454bbbd28674786085c2ef196c6e3a87e1ba6a1f3cde198ba7e20f41845b613cfebc06db652613163fec506f50
-
SSDEEP
12288:+LfrxBM+Mkm3TJMpJJgFc+vM7uF3Z4mxx+KnL+0K63IfvLfrxBM+Mkm3TJMpJJgR:l3MIc+vM6QmX/l3sk3MIc+vMe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1660 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe File created C:\Windows\uninstal.bat 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4928 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe Token: SeDebugPrivilege 1660 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1660 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2612 1660 Hacker.com.cn.exe 84 PID 1660 wrote to memory of 2612 1660 Hacker.com.cn.exe 84 PID 4928 wrote to memory of 2700 4928 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe 85 PID 4928 wrote to memory of 2700 4928 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe 85 PID 4928 wrote to memory of 2700 4928 261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\261736c56c3947ccedc5e375b676b958_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:2700
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2612
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
876KB
MD5261736c56c3947ccedc5e375b676b958
SHA19c4051e84983495ad136525222f82590a8d6b046
SHA25662b9848f9eb468669b45b9f8daf1d2a6e89e279e7f7265c923ca4ce04f6e03cb
SHA5121ff784ad21a9f31278ccc6fe17098b39264a15454bbbd28674786085c2ef196c6e3a87e1ba6a1f3cde198ba7e20f41845b613cfebc06db652613163fec506f50
-
Filesize
218B
MD548376054a18caafe119bb48ac8bdee81
SHA17f03fb4fb039ff54814d9a489bdf9e91b8f30f85
SHA256ac2655c74d9dff0b2b448ec63c67c594b65108fdd9ca6ee5fada487afa7a847d
SHA5121ee3732aa7eedc94b559e87c1f35763158efa83a9388d2d8cb346b33ab6fda01109eae69783f29adfab78698799f24cc21c577f4536f4486de87e38d0e68f295