Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
-
Size
3.3MB
-
MD5
3356aae4f5a2a83cb062e91f544fd3df
-
SHA1
d3e7b148cc7231cf2b99dbb53c95998169b1f831
-
SHA256
156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af
-
SHA512
2d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8
-
SSDEEP
12288:xrNogwflQWMw28nPi1Ken9UWDoUWtoOBFeBnJ8z490JWcm0:xrNoPflokn2KzWDHWtvc+Jy0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3884 explorer.exe 1344 explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4596 set thread context of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 3884 set thread context of 1344 3884 explorer.exe 82 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe 1344 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4596 wrote to memory of 4652 4596 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 80 PID 4652 wrote to memory of 3884 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 81 PID 4652 wrote to memory of 3884 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 81 PID 4652 wrote to memory of 3884 4652 3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe 81 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 3884 wrote to memory of 1344 3884 explorer.exe 82 PID 1344 wrote to memory of 2704 1344 explorer.exe 83 PID 1344 wrote to memory of 2704 1344 explorer.exe 83 PID 1344 wrote to memory of 2704 1344 explorer.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe" 13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe" 14⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2051.bat"5⤵PID:2704
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD5c9375e809e46ef6e908cbceb5525ffab
SHA1f6fa24a05cfe0363d711cee6e6fc2658794fd8c2
SHA256695331f595b1a83a600a7dca93d2396ea4e34a8f8e51f527a65ea2efd45315e7
SHA5126e1dc9935f2e562e06bad113adb0f97e1005dcb361570b903289751547a58040e46aa1e6863a1cf27aeae35b31efcd337026a668486615b0ac096bb428111daa
-
Filesize
3.3MB
MD53356aae4f5a2a83cb062e91f544fd3df
SHA1d3e7b148cc7231cf2b99dbb53c95998169b1f831
SHA256156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af
SHA5122d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8