Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe
-
Size
607KB
-
MD5
289bdd184a7dbd1f02f3b35de92d8c04
-
SHA1
7cc34e320093129287d05a4cf33f41c1d5683c02
-
SHA256
5dceba157be9d2d78623211de8f4177ca9ac99356b444f291a0462f3f21e387f
-
SHA512
c77c5b91fb6d20ee8b04c0206ea3450b05c40e0865a746ac9dd557f771451a66eca0b66e066880718daa6c0ef36671c7057ac3f38cb91665b9cf321339f96c38
-
SSDEEP
12288:Iam7zyxnVVejG4q0lAGiqT/QK87nE8UKeA9N47oVMm:IamvyWKHGiqT/q7nEaeW27oVN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4208 svchost.exe 3232 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 4936 svchost.exe 768 Au_.exe -
Loads dropped DLL 5 IoCs
pid Process 768 Au_.exe 768 Au_.exe 768 Au_.exe 768 Au_.exe 768 Au_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023432-8.dat nsis_installer_1 behavioral2/files/0x0007000000023432-8.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3140 wrote to memory of 4208 3140 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 82 PID 3140 wrote to memory of 4208 3140 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 82 PID 3140 wrote to memory of 4208 3140 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 82 PID 4208 wrote to memory of 3232 4208 svchost.exe 83 PID 4208 wrote to memory of 3232 4208 svchost.exe 83 PID 4208 wrote to memory of 3232 4208 svchost.exe 83 PID 3232 wrote to memory of 768 3232 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 86 PID 3232 wrote to memory of 768 3232 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 86 PID 3232 wrote to memory of 768 3232 289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\289bdd184a7dbd1f02f3b35de92d8c04_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD50b0aa621e74bdd37d35f8f08a639bcb3
SHA1b83cf71fdc7823a22b08d3764f44bf8873946a63
SHA2568b1e4e6e9d5732fd1a0492808946debac7d46b545bf1b2640b64e0ff4e601f9c
SHA512a2ea86ee0c734ad9c5eb4e3289c7467f31b29289c8e7bb709a8aeac4737bed7d9eaa47c70f697d5c20f705afbabb7b22c1e8a1d8fa86ca835a30b6ea34b1b96d
-
Filesize
14KB
MD50dc0cc7a6d9db685bf05a7e5f3ea4781
SHA15d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA2568e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
17KB
MD509caf01bc8d88eeb733abc161acff659
SHA1b8c2126d641f88628c632dd2259686da3776a6da
SHA2563555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478
SHA512ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa
-
Filesize
582B
MD52c4ef12750d47241cb26c5c001a40d75
SHA1dc3cabec6bb832e44e82e8859362c8c93b7ff80e
SHA256de8cf1888e439ee1e3237160992f99c92d30cd252bb40b1e34151e71e550c81a
SHA512490d76891602b9d04770cfa54641a2d67007d0b30fe07f839e3a8c06b5833ce2c0bfbd4a89b2f01fa5241b2908b52cee088e277fb5e9f8ed47e75dd61ba3b701
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b