Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
-
Size
557KB
-
MD5
416db420e781c709bb71acee0b79282f
-
SHA1
bdd2bae83c3bab9ba0c199492fe57e70c6425dd3
-
SHA256
4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99
-
SHA512
31a229abfc2e7039db7e5bb8510cdd89b0ef4d2ea1e22293cb9cc26a4f73ac07dd2456e0b0ac30000d43f20b87c4abdd53fdb7556912da66824406e98347df5e
-
SSDEEP
12288:6cdkVE1wqnLHHP1W0Tilcyy3VLk3BWpC/c3fvYQuObIk:XOXqLHHNWy3VLk31k3fA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3636 atiapfxx.exe -
Loads dropped DLL 1 IoCs
pid Process 3636 atiapfxx.exe -
Kills process with taskkill 1 IoCs
pid Process 3456 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3456 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2008 wrote to memory of 3040 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 85 PID 2008 wrote to memory of 3040 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 85 PID 2008 wrote to memory of 3040 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 85 PID 2008 wrote to memory of 2516 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 93 PID 2008 wrote to memory of 2516 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 93 PID 2008 wrote to memory of 2516 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 93 PID 2008 wrote to memory of 3636 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 95 PID 2008 wrote to memory of 3636 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 95 PID 2008 wrote to memory of 3636 2008 416db420e781c709bb71acee0b79282f_JaffaCakes118.exe 95 PID 3636 wrote to memory of 3460 3636 atiapfxx.exe 96 PID 3636 wrote to memory of 3460 3636 atiapfxx.exe 96 PID 3636 wrote to memory of 3460 3636 atiapfxx.exe 96 PID 3460 wrote to memory of 3456 3460 cmd.exe 98 PID 3460 wrote to memory of 3456 3460 cmd.exe 98 PID 3460 wrote to memory of 3456 3460 cmd.exe 98 PID 3636 wrote to memory of 216 3636 atiapfxx.exe 100 PID 3636 wrote to memory of 216 3636 atiapfxx.exe 100 PID 3636 wrote to memory of 216 3636 atiapfxx.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe/c time /T2⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exe/c time /T2⤵PID:2516
-
-
C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exeC:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe C:\Users\Admin\AppData\Roaming\ATI\atisamu32.dll, ADL2_Display_Regamma_Set pid=2008 "C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exe/Q /C TASKKILL /F /PID 2008 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe > NUL3⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /PID 20084⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
C:\Windows\SysWOW64\cmd.exe/c time /T3⤵PID:216
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
812KB
MD5da311c2005e7580c662d1911dbee49c0
SHA126d030c93c517d63147f502bf6536c3914698821
SHA256cd7ec70cbd88620acc499cee175309c87f0f4d2de5bbc99fd525c62cc25441d5
SHA51206adf8403bdb1fb434af028ea594cc7d53f38bad9d393966553656a630ec9f5e67163a531cd317e1f9c9ecff88343dd4e590ee1241bf098a418b7cdaa79d4bbd
-
Filesize
5KB
MD5d1440f0f6ded17896b0cf85e87915d65
SHA13b297f0ca7750c0c74e5f931fec1528fe1ba6bc9
SHA2561c14172ed934e77fea0e0ea435c3a736fad22df4aadba679b9f7523e24cfad86
SHA5123c3b78afd859014dc62328be401a5e4637bb600a5ae7c385523d175f4e019fba20e471d6b21242cee6fe537810074e19b2ace5a8bd106d8787c163362de48172