Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 06:32 UTC
Behavioral task
behavioral1
Sample
2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
-
Size
126KB
-
MD5
2f5009a385b3c87156e2372fcc834242
-
SHA1
2551e460d87e884f3e32bc81d07edf0d7350f2db
-
SHA256
a84cc849c5d3fe3d666143b2786df3b51de9c50e9f9d803e71f18f380ed3c4bc
-
SHA512
684bfa168edbb9b10fd78693b923d71c3080df921e4dec9dc0eae249c953c6229f7649369bdf8a706f33dcfc9d0d5abdff9645a9385edc9b389d8e1928dab62e
-
SSDEEP
1536:QZN3pOTDnWqwEpkYdZFoVP5mv+DiED8LE/Ln8D04cXQZqTERGtbxSUg7cWKiU:QHITDWqwExCk+DVF/L844cgcTok9g7W
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll" 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2044-0-0x0000000000180000-0x00000000001A4000-memory.dmp upx behavioral2/files/0x000700000002346f-9.dat upx behavioral2/memory/2044-19-0x0000000000180000-0x00000000001A4000-memory.dmp upx -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NWCWorkstation.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\helpsvc.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nwsapagent.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\uploadmgr.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Wmi.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WmdmPmSp.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PCAudit.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\0B090D8C.tmp 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nla.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ntmssvc.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SRService.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ias.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Irmon.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\LogonHours.dll 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2044 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe 2044 2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2f5009a385b3c87156e2372fcc834242_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2044
Network
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.99.105.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
58.99.105.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD54e3514d1e271a60a24f9785c3cbcd279
SHA1fb86fa75768d677a307da6aeaf2578020a4c2b66
SHA2567328bc89b607593d82467754675b32e71eecd80f2cbbe38dc522706500a3d5fb
SHA5125cdb26adfe3be0c48ebfa57425f015a06c31d58fd2c8a354a26768a8a037f51041c1391acd945e5b9a7b3ddeef8b1003e4b7252880601244b5cc1f4af158d6df