Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 11:15
Behavioral task
behavioral1
Sample
38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
38e2363aba9431952826f6220ef5a28b
-
SHA1
79f95c14ac20ed9a1181d054f83f99805a593006
-
SHA256
9374b8a2267154c59fd7389bd5520510617c4bdf4357f2ad5b2c32ae1c52a2f2
-
SHA512
9ccf5c3a0315197b9413b842a3aad74074d8283ffd08e0e863546aeb27d8b6a8427c2f26f694f933924d62881ca284b32c847f143d96c38989422db4e25b3934
-
SSDEEP
24576:gdoOXm9XYyfakppqoSvMsSgvcfRjI/IT/bKJq+ax:M1yiGpqgsS1RVqJk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1728 Server crypted.exe -
Loads dropped DLL 3 IoCs
pid Process 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe 1728 Server crypted.exe 1728 Server crypted.exe -
resource yara_rule behavioral1/memory/2560-54-0x0000000000400000-0x00000000004DC000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: 33 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: 33 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: 33 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: 33 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe Token: SeDebugPrivilege 1728 Server crypted.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe Token: 33 1728 Server crypted.exe Token: SeIncBasePriorityPrivilege 1728 Server crypted.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1728 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe 30 PID 2560 wrote to memory of 1728 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe 30 PID 2560 wrote to memory of 1728 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe 30 PID 2560 wrote to memory of 1728 2560 38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe 30 PID 1728 wrote to memory of 992 1728 Server crypted.exe 31 PID 1728 wrote to memory of 992 1728 Server crypted.exe 31 PID 1728 wrote to memory of 992 1728 Server crypted.exe 31 PID 1728 wrote to memory of 992 1728 Server crypted.exe 31 PID 1728 wrote to memory of 1548 1728 Server crypted.exe 32 PID 1728 wrote to memory of 1548 1728 Server crypted.exe 32 PID 1728 wrote to memory of 1548 1728 Server crypted.exe 32 PID 1728 wrote to memory of 1548 1728 Server crypted.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38e2363aba9431952826f6220ef5a28b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe"C:\Users\Admin\AppData\Local\Temp\Server crypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe"Server crypted.exe"3⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe"Server crypted.exe"3⤵PID:1548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2012.05.06T22.20\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Server crypted.exe
Filesize17KB
MD5330ef6ca142cd3c1935bb0a68f5e2618
SHA1fe2aa356fbcfa656c3518c20f06ff6d04991f0dd
SHA2563357279b9d1694848577d6e0573720d841b2c81cd5a40cbe5d905068180a6a91
SHA5127a0ab2e73640f886a06c923184dd4223d1d1897e97221b74e469bd5deb144535991bdde135f02fe80e1a3df52808450ba3712e49ea9ea8a343067425c458ddf3