Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe
-
Size
248KB
-
MD5
3df4a473712e6bb58fd5a9852eb5d77d
-
SHA1
1ed60dda775d1ef863b41b1f066bf226b4a69b4c
-
SHA256
697b24d18e37bff5e70fec288b2d530cbae54af2a9de845a189745b317ef9c0f
-
SHA512
beb9f2f742a63769e2ef4e11af81ef66752668b34543aeae743809e10b113001d18630ffb608000d193e8b9e250294d3d30b9a52ce5d0e70ceb892503c0d94a5
-
SSDEEP
3072:tVi+tn8dimzJkGGIqH7cDpNi6ehSyiHGO9DuFXWMocft9x:tIdV+wNNSSHHGO9Du1WM/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1144 Garss.exe -
Loads dropped DLL 1 IoCs
pid Process 1144 Garss.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Garss.exe 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe File created C:\Program Files\Garss.exe 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe -
Runs .reg file with regedit 1 IoCs
pid Process 5028 regedit.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4080 wrote to memory of 1144 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 86 PID 4080 wrote to memory of 1144 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 86 PID 4080 wrote to memory of 1144 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 86 PID 4080 wrote to memory of 5028 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 89 PID 4080 wrote to memory of 5028 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 89 PID 4080 wrote to memory of 5028 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 89 PID 4080 wrote to memory of 4920 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 90 PID 4080 wrote to memory of 4920 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 90 PID 4080 wrote to memory of 4920 4080 3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3df4a473712e6bb58fd5a9852eb5d77d_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files\Garss.exe"C:\Program Files\Garss.exe" "C:\Documents and Settings\QQCRT.DLL" Main2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\1.reg2⤵
- Runs .reg file with regedit
PID:5028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3DF4A4~1.EXE > nul2⤵PID:4920
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904B
MD554d0f79ab0efd0617c1269c844d25370
SHA19d3272901c5a555f00e08452fe98fab50ad7d0e8
SHA2560aaf709fc2baf645bfe47bc5041ff9b9e396fba5d16ceff8513dc15cf25d3335
SHA512b109f31ec8c55baf4e1b8452f57831f72dc535c431e32dd021b276896e581f46b6c6642811dd70bff68ded67f348415c71346c61a6225ecececa9f1f597e5dc8
-
Filesize
21.1MB
MD5c8f1c4c69fdaa6f178e097596749b11e
SHA18f44173e9c232bf1e5caa53e745a803410fb646c
SHA256baf2a2b8637f3fcd3631cc471f9334e8fcd55b73386ee9de037fb2cd82da6cce
SHA512e743227d65eccfac35515aa246be852ae9ab39f6f037c784febbb1ba3774d0ad87b39810c9586e6a6426dd7a614e223ffaced02ff055b2714741b1a2302f81f6
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641