Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
-
Size
689KB
-
MD5
353aee66f961ef3158e0884c287c5645
-
SHA1
9df777862cc2aa631e7134f175ea028bb7bc8728
-
SHA256
20a85e2d05f4f78e7e366b9b6562e453ece5fb3c556e4a03ad6edf45a43130df
-
SHA512
3d8d251f35d02bf4f4b80ceadbdcf9e4def5e9290f5ee4a2e33750389b05f39b38c69ae3535406c731a0146d16ef3a7345e1a2853cd1a195d7d09fd3d567b13e
-
SSDEEP
12288:ePLP+oUvVHcz8cv7DfuNy686Eg8wG8OF3Z4mxx5DqVTVOCg:8SoaVk8cffuNyR6EgS8OQmXQVTzg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2764 4.exe 2608 Hacker.com.cn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\uninstal.bat 4.exe File created C:\Windows\Hacker.com.cn.exe 4.exe File opened for modification C:\Windows\Hacker.com.cn.exe 4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2764 4.exe Token: SeDebugPrivilege 2608 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2608 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2764 4812 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 83 PID 4812 wrote to memory of 2764 4812 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 83 PID 4812 wrote to memory of 2764 4812 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 83 PID 2608 wrote to memory of 3196 2608 Hacker.com.cn.exe 87 PID 2608 wrote to memory of 3196 2608 Hacker.com.cn.exe 87 PID 2764 wrote to memory of 4940 2764 4.exe 88 PID 2764 wrote to memory of 4940 2764 4.exe 88 PID 2764 wrote to memory of 4940 2764 4.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:4940
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD5ec0c29add6ca3345cc89f3c93ea54317
SHA1bcca4323a723e7b5717d42524425a38981f707ce
SHA256c94637967eabbd861d8ecfee6a31b84c305222c3e29587764da9e08fd0858a65
SHA512d9b620aac58d66da9f288ba3676142c6a55dca528ab44917508ed7c8c5b87806bdf41b52a259041ae6ae13647ac8f43159eee66db4eaae79839763de1731cd02
-
Filesize
150B
MD55edd682a8b1f2bf873300774f954ab03
SHA12cca4e743d02dbccf31b784ea26a60c03dcc9637
SHA256a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a
SHA512916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2