Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 04:55
Behavioral task
behavioral1
Sample
29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe
Resource
win7-20240705-en
6 signatures
150 seconds
General
-
Target
29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe
-
Size
646KB
-
MD5
29be82b7020fc45f5b4768dcad8d12d4
-
SHA1
b61c18bb320a306a3752fb0a58d54ec6ce86d116
-
SHA256
5a988ea6330246fa9fb9e734a319039c21e85b592a19f886c8352f7c83d68602
-
SHA512
84421020317e896c38906921295d11644241f7c7dee426a019d34ddb606ab1b9a308c8c4b45cda00bedf2dc9e2f6aedabdcffd1686be2d8028461e0d07de7fe0
-
SSDEEP
12288:4DGI8Zsxgb0FK3ARkKWhZ4FoKMDhtJ8IpaCAO7G1xYfg9k+1A0G6FjuaFUs:4DFpM0Q3trZ46KMDhfX7Nfck+1AcjLT
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3688-0-0x0000000000400000-0x00000000004E9000-memory.dmp upx behavioral2/memory/3688-14-0x0000000000400000-0x00000000004E9000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3688 set thread context of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 2296 3152 WerFault.exe 85 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3152 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 3152 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85 PID 3688 wrote to memory of 3152 3688 29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\29be82b7020fc45f5b4768dcad8d12d4_JaffaCakes118.exe2⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
PID:3152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 5323⤵
- Program crash
PID:2296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3152 -ip 31521⤵PID:2124