Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3577f4702582432300f89e998ea60a82_JaffaCakes118.exe
-
Size
20KB
-
MD5
3577f4702582432300f89e998ea60a82
-
SHA1
eca085692f561bc655fd7b8b0a4f0fcac6f27bfa
-
SHA256
13bbc671966e78d95bc28f99aadd1bf9d9c563ce5630b3523d5b22fa12c032a1
-
SHA512
1e91595f66fdcf0846858b526b0ff1e4ebc418a95dcfc1d5bbf90e08670b7a45e019e72dd43975275b81a7ea40cf10af6b51299f4c9278c127e76e308912cc2e
-
SSDEEP
384:bO2OEHdn0QfuLNExpYROROJWHLyRFqKv8sNPeKl3C1J9:RHlhQExpoOYSLy1vZ53C1D
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4460 mcsijyoe.exe -
Executes dropped EXE 1 IoCs
pid Process 4460 mcsijyoe.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe" mcsijyoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe" mcsijyoe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSCV = "C:\\Users\\Admin\\mcsijyoe.exe" mcsijyoe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4460 mcsijyoe.exe 4460 mcsijyoe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4672 3577f4702582432300f89e998ea60a82_JaffaCakes118.exe Token: SeTcbPrivilege 4672 3577f4702582432300f89e998ea60a82_JaffaCakes118.exe Token: SeDebugPrivilege 4460 mcsijyoe.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4460 4672 3577f4702582432300f89e998ea60a82_JaffaCakes118.exe 84 PID 4672 wrote to memory of 4460 4672 3577f4702582432300f89e998ea60a82_JaffaCakes118.exe 84 PID 4672 wrote to memory of 4460 4672 3577f4702582432300f89e998ea60a82_JaffaCakes118.exe 84 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56 PID 4460 wrote to memory of 3460 4460 mcsijyoe.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\mcsijyoe.exe"C:\Users\Admin\mcsijyoe.exe" 528 "C:\Users\Admin\AppData\Local\Temp\3577f4702582432300f89e998ea60a82_JaffaCakes118.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD53577f4702582432300f89e998ea60a82
SHA1eca085692f561bc655fd7b8b0a4f0fcac6f27bfa
SHA25613bbc671966e78d95bc28f99aadd1bf9d9c563ce5630b3523d5b22fa12c032a1
SHA5121e91595f66fdcf0846858b526b0ff1e4ebc418a95dcfc1d5bbf90e08670b7a45e019e72dd43975275b81a7ea40cf10af6b51299f4c9278c127e76e308912cc2e