Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 21:48
Static task
static1
Behavioral task
behavioral1
Sample
3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe
-
Size
49KB
-
MD5
3ad62dbb3a75e3ed1ef4dcefe3e162ea
-
SHA1
4b7afc57108da57970c655645b35ba3c689cd724
-
SHA256
0711eeff17dc30275d8b5a76b0e650aa305b79605c991aa555004645fc928766
-
SHA512
085b77d7b2a7e9802e084fb348535f697c22537ef5d39ef46eedc8c9df9fbb8a90932e5a8ff8d7e72fa12bbbfb321276d2877755762efa4bcbaa1ff06b664233
-
SSDEEP
768:VYV7Rmgxdyx7IOVs3YaEJUuXaOEAYD9eh0z77Kci5nbR9AnaUCa8GXfuIJJuk:VYpsgC7Rs4Uk8mMiRbR9AUd1k
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 19 1184 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 1184 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\cbXRKBrR.dll,#1" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cbXRKBrR.dll 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe File created C:\Windows\SysWOW64\cbXRKBrR.dll 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\cbXRKBrR.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe 1184 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2112 wrote to memory of 624 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 5 PID 2112 wrote to memory of 1184 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 88 PID 2112 wrote to memory of 1184 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 88 PID 2112 wrote to memory of 1184 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 88 PID 2112 wrote to memory of 2744 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 89 PID 2112 wrote to memory of 2744 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 89 PID 2112 wrote to memory of 2744 2112 3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe 89
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\cbXRKBrR.dll,a2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mlJCTMcD.bat "C:\Users\Admin\AppData\Local\Temp\3ad62dbb3a75e3ed1ef4dcefe3e162ea_JaffaCakes118.exe"2⤵PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5af5dedeb191631780afe3251f34d8799
SHA186a301b3b80745365227560cb72d548ee7b50655
SHA256327033918c0800b5d3efb86e64db9109fdc686ed7564c77a4408915bb4d8324d
SHA51282643be912e77329b041ef31a19543b5401996149d3dd5f840d0d4531a35b7477059d9ac48e3eb7f39a3308feafe74c16244e38a741c29bb98fc6f14c90d569e
-
Filesize
36KB
MD56078ae713210a6ca936e659a0ee77019
SHA1f0750194a7afc6c2e3dab598348933c9447b15da
SHA256987c44cc98f35beab26e8f292e87852610b8038ecd995aed0f9793baaf0697e4
SHA5122e675de59a3d8bfab7d9dd6b9f0044418b51ff40ab3f9d3723a3f94a150a5de06e3692332be84d2290fcfe29589e9642bf4273fb245ea4267e3930037a4d0492