Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 19:28
Behavioral task
behavioral1
Sample
2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
150 seconds
General
-
Target
2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
-
Size
175KB
-
MD5
2d8d1633510a9eb0b8495953e2697461
-
SHA1
cb6f307755eb5130b7b4e092057ea7a0d934726f
-
SHA256
7fa993c16abce154e66fedcc34a1cc425bbd6fb415b18ea62a42c816612f25ed
-
SHA512
da83f74629794e9ff71f7bece9b5b6d00bb0d5467083368af92140fe11225a369a547e8c122aa0fffe896d77db7db8bf6b1ad6f41fb08315103bdc016c07c6cd
-
SSDEEP
3072:9hr1wTT9cHlar+puWV8KsB7dIjxFlihpL3LPje6Per9qMCD6zJK2Uc1jXsZwe6zp:9hWn9FrRo8KiSjxu1LPjerx9JzVUcheQ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3036-0-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral2/files/0x00090000000232be-6.dat upx behavioral2/files/0x0001000000018990-13.dat upx behavioral2/memory/3036-19-0x0000000000400000-0x000000000046D000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\G: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\K: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Q: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\S: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\M: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\O: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\P: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\R: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\U: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Y: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\Z: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\I: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\T: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\V: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\H: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\J: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\L: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\N: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\W: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened (read-only) \??\X: 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\110.0.5481.104\elevation_service.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File created C:\Program Files\7-Zip\Uninstall.vir 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3036 2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d8d1633510a9eb0b8495953e2697461_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
527KB
MD5c4742c49f275903e66496e24e18b90da
SHA12263b113c189c7052a5be6dfc68538f021b2372a
SHA2563137e63d3a85c9f9109043e4b1f5005d508a681bc2526d8d3bdeeb97dc316c4c
SHA512ecca5ccbeeb422de865a1e9ac8e43727d3e12655a01076c5a685010782790a8b143f375ae3ef4d6aadd0849d9f79fd10ab47c8330f69354bd05899986470afb5
-
Filesize
162KB
MD5ec562f4e670b168812d750342624eff9
SHA185e76aee91870bc473116febf0eb56af3c57d561
SHA256cea239beee5bf2871bcd4ace17e3363c84d3abaa14bda26fdb2744b8dfed58e1
SHA512bf311f051c0adf1565323f7074ea63dd50fbb0d3774047f2f38e425da5e4006198530cf89f2e2ff4633c4ecdeacb38ffc265fe37b6816aab88f6cea62e87353e