Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 10:13
Static task
static1
Behavioral task
behavioral1
Sample
282e23f486723503ffeab416cb799166_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
282e23f486723503ffeab416cb799166_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
282e23f486723503ffeab416cb799166_JaffaCakes118.exe
-
Size
562KB
-
MD5
282e23f486723503ffeab416cb799166
-
SHA1
4463fb14356706e2123851326e7489fc81c574bc
-
SHA256
8e747fb2b7d505cba81f96b4b1666ddc0553745fe916750a79744d0698c6db7b
-
SHA512
4d9282057e02e9045bbd3bf2cf458f4a9046a3d8394216afea8d66386ae7083365d4a67bef79c03545c9e4ad13970c0b065262183da4e28ecca49b1666471fae
-
SSDEEP
12288:RJVjlDXEddgye5izmXrHjcdLPOMxl7mUqS3KPcdW5pd:RXe/O5TXncdLLxl7L0N
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1276 FASTPI~1.EXE 4040 icon.exe -
Loads dropped DLL 2 IoCs
pid Process 4040 icon.exe 4040 icon.exe -
resource yara_rule behavioral2/files/0x0009000000023474-5.dat vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 282e23f486723503ffeab416cb799166_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\smss2.cpl FASTPI~1.EXE File created C:\Windows\SysWOW64\wbdbase.mui FASTPI~1.EXE File created C:\Windows\SysWOW64\winmmc.dll FASTPI~1.EXE -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\icon\11st.ico icon.exe File created C:\Program Files\icon\Gmarket.ico icon.exe File created C:\Program Files\icon\Thumbs.db icon.exe File created C:\Program Files\icon\aution.ico icon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023475-10.dat nsis_installer_1 behavioral2/files/0x0007000000023475-10.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1276 FASTPI~1.EXE 1276 FASTPI~1.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1276 FASTPI~1.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1276 FASTPI~1.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 564 wrote to memory of 1276 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 83 PID 564 wrote to memory of 1276 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 83 PID 564 wrote to memory of 1276 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 83 PID 1276 wrote to memory of 3432 1276 FASTPI~1.EXE 56 PID 564 wrote to memory of 4040 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 85 PID 564 wrote to memory of 4040 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 85 PID 564 wrote to memory of 4040 564 282e23f486723503ffeab416cb799166_JaffaCakes118.exe 85 PID 4040 wrote to memory of 1212 4040 icon.exe 88 PID 4040 wrote to memory of 1212 4040 icon.exe 88 PID 4040 wrote to memory of 1212 4040 icon.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\282e23f486723503ffeab416cb799166_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FASTPI~1.EXE3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\icon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c \DelUS.bat4⤵PID:1212
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD589082e83de4dc7c833d29bedba560994
SHA16721ef885670ee3ca5de8d845a780e052082f9f9
SHA25607ed6cd57a54ce6846e18f067e6537147d9ad483c6c594d106cead3966284fc6
SHA5122da8fe72c4f777cdd1f51a2f3312d15472af8ad24b9d66c71da8044c0a7c7f4e4e3cdb7c76f38816104c70e69feba9a829392012521a6703bbf7774c656dc361
-
Filesize
880KB
MD58ba64a91769ae862c9959dda68c7006d
SHA13e90f9c212507efdb53cd9225ee4f2e812a0619d
SHA256b581d86d0f64355469f487cf5a000e0cd9b4d6caa11f75341e42d6be9492fbdf
SHA512d9866cd53e4b6226ef4cf260663fb9354fd72c829f270f236179e59a536882f6add77698447d08204372fedc216997df98033f75da4bed6d70e26bf2497ae98c
-
Filesize
64KB
MD551664dcddadc86db4da4fc4ed4ddfc3a
SHA14d6e9a9d00012591fbf80746ea3514eb7a278524
SHA2561bc3902a6a7073d5f6a3051f1107004c2b268cb6d03f2f1f98c89e3b247322a2
SHA512b306497e84b05688657c5c677cf9ac931454b80e27c2ce2cffd9d6bf258baa313a77b748eb4f21f2363bed8465b7bc68e09348d1244fe9c16ebff68431a02ca0
-
Filesize
28KB
MD5d825e4003d1697fd4bc45361e222746c
SHA1e9d4b1073aac15d4dbb430471fcaea549e633d13
SHA256c79e4be74eecf16f2f7f1d39724c938bf372e9568bb96fa4610926a57fe323f5
SHA5127740a18cae5a42963c748a49ac6175482c93b34dce703a7cf24f5828ee6cdc19eb2669a634b64c2a4c861272f7e9b9e943455195a7cd6afcd8fa5586744eb86f
-
Filesize
24KB
MD57bf1bd7661385621c7908e36958f582e
SHA143242d7731c097e95fb96753c8262609ff929410
SHA256c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e
SHA5128317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f