Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
78s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 19:31
Behavioral task
behavioral1
Sample
2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
-
Size
501KB
-
MD5
2d8f429c96d92430c8c66679936bbc1f
-
SHA1
a753880cfe0cb7051a0b9cf07531d04c13f7d032
-
SHA256
58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141
-
SHA512
fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f
-
SSDEEP
6144:y8lLSeKLxjiZjdhTv2tIyzJM/FAvzBF/nM+BNlocz4xWadXmRd7gJQa3:ymFT1yNM/Wvz/Z4WaSdUJP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1180 Yjowua.exe -
resource yara_rule behavioral1/memory/1068-1-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/files/0x0007000000018703-11.dat upx behavioral1/memory/1180-13-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1068-12-0x0000000000370000-0x00000000003EF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFGQBFFUUO = "C:\\Windows\\Yjowua.exe" Yjowua.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe File created C:\Windows\Yjowua.exe 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe File opened for modification C:\Windows\Yjowua.exe 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main Yjowua.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe 1180 Yjowua.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1068 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe 1180 Yjowua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1068 wrote to memory of 1180 1068 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe 29 PID 1068 wrote to memory of 1180 1068 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe 29 PID 1068 wrote to memory of 1180 1068 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe 29 PID 1068 wrote to memory of 1180 1068 2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Yjowua.exeC:\Windows\Yjowua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372B
MD5b4f6d1d2f88f7694aa4f1bb1f5d88540
SHA1cff4da335b60a561ae6ad0789a94c0a4cfa9600a
SHA25658f222c33301742cb36df7b0380b649d47665cf20efa8da087a44bcabb2d9e89
SHA51236131a98d57fae581c8ab02041d1d8d85fdc59204012e507edfe25686addece87854cb1c2916bc158bdc01541076ce101c909240977d2e778c6792da4fcda953
-
Filesize
501KB
MD52d8f429c96d92430c8c66679936bbc1f
SHA1a753880cfe0cb7051a0b9cf07531d04c13f7d032
SHA25658bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141
SHA512fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f