Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240708-en -
resource tags
arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 11:09
Behavioral task
behavioral1
Sample
302006e88392c0574de378602e606f94_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
302006e88392c0574de378602e606f94_JaffaCakes118.exe
Resource
win10v2004-20240708-en
General
-
Target
302006e88392c0574de378602e606f94_JaffaCakes118.exe
-
Size
40KB
-
MD5
302006e88392c0574de378602e606f94
-
SHA1
b0caf8e932f905a9d8599e28c8ebd298a899e7b3
-
SHA256
08e363584e5ddeb49ea0773f2f3e01f9d202e7bbbf83a327513bf8ac575c1e45
-
SHA512
12eaddfd0cb385b017b6b4aa542b95910084472fa7e9df7a4ab85cc3e1767e2fb2ce91fbfd41767c7378b706dec74a9685073dd415bf9563817df06a9bd1e6bf
-
SSDEEP
768:RYcJ1HIAR7cYIgRlGroD+7SvxRXmvY+hAxktTC+vqTqwmA:R51B4YI+PCSbmvvJC+sNP
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\FileEngine.sys DiskSystem.exe File created C:\Windows\SysWOW64\drivers\FileEngine.sys 302006e88392c0574de378602e606f94_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2840 DiskSystem.exe -
resource yara_rule behavioral2/memory/2568-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2568-1-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/files/0x000a000000023494-5.dat upx behavioral2/memory/2840-7-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2840-9-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2840-17-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2568-22-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\DiskSystem.exe 302006e88392c0574de378602e606f94_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DiskSystem.exe 302006e88392c0574de378602e606f94_JaffaCakes118.exe File created C:\Windows\SysWOW64\DiskSystem.exe DiskSystem.exe File created C:\Windows\SysWOW64\del09.bat DiskSystem.exe File opened for modification C:\Windows\SysWOW64\del09.bat 302006e88392c0574de378602e606f94_JaffaCakes118.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2600 ipconfig.exe 1708 ipconfig.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2600 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 81 PID 2568 wrote to memory of 2600 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 81 PID 2568 wrote to memory of 2600 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 81 PID 2840 wrote to memory of 1708 2840 DiskSystem.exe 87 PID 2840 wrote to memory of 1708 2840 DiskSystem.exe 87 PID 2840 wrote to memory of 1708 2840 DiskSystem.exe 87 PID 2840 wrote to memory of 2436 2840 DiskSystem.exe 92 PID 2840 wrote to memory of 2436 2840 DiskSystem.exe 92 PID 2840 wrote to memory of 2436 2840 DiskSystem.exe 92 PID 2568 wrote to memory of 4860 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 94 PID 2568 wrote to memory of 4860 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 94 PID 2568 wrote to memory of 4860 2568 302006e88392c0574de378602e606f94_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\302006e88392c0574de378602e606f94_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\302006e88392c0574de378602e606f94_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe2⤵
- Gathers network information
PID:2600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\del09.bat2⤵PID:4860
-
-
C:\Windows\SysWOW64\DiskSystem.exeC:\Windows\SysWOW64\DiskSystem.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe2⤵
- Gathers network information
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\del09.bat2⤵PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5302006e88392c0574de378602e606f94
SHA1b0caf8e932f905a9d8599e28c8ebd298a899e7b3
SHA25608e363584e5ddeb49ea0773f2f3e01f9d202e7bbbf83a327513bf8ac575c1e45
SHA51212eaddfd0cb385b017b6b4aa542b95910084472fa7e9df7a4ab85cc3e1767e2fb2ce91fbfd41767c7378b706dec74a9685073dd415bf9563817df06a9bd1e6bf
-
Filesize
218B
MD584be55e9ca19fa4ac2bd3bceae317ab4
SHA144e95c651312bdb007d387b884eaa9074922025e
SHA2560092b08ab1212caa3de245d197da77101348d5c5c0c31b32851eab5b20f3d2e3
SHA51289c7a895c5801299947146b7188a9ac9cc0ba2f46b7f7be9e03ad6a07f9279980a3f482e533342aa4949eb628b1fb72e25529cf1ad7e28abcb76778704da6475
-
Filesize
14KB
MD530588483dec09720b4cfd49bf65f2947
SHA16716f424fc287f858194e40978f7e61b4fd78879
SHA25631fd3131464082369fbeec52dce72fbc2ab4adb654c0c7ea55aba77dc7760293
SHA5127819a85c8e384d591eeeb4a24092d476dd82fa940345c539127687c5b4ced6f49e9fcf50810750c285163fecc7c32573f71deea888c4ed73c77cb447f88fcdb6