Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe
-
Size
711KB
-
MD5
432bb2e967e63a9e81fbb18e3fdf4fea
-
SHA1
fe2f329bcf2523b7a38c5a8477c78ade8f28b517
-
SHA256
c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f
-
SHA512
88361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1
-
SSDEEP
12288:FMViJAFvKqrhxrVsVpp7gx6v6XzD/Dgg6P7EBf8tsMm9nAO3BT5UyFLr:SiKFv5jsHp7iXzDaP7+6O3B9F3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1508 servers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 3404 1508 servers.exe 96 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\servers.exe 432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe File opened for modification C:\Windows\servers.exe 432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 680 5084 WerFault.exe 82 4224 5084 WerFault.exe 82 5024 1508 WerFault.exe 91 1268 1508 WerFault.exe 91 3408 3404 WerFault.exe 96 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5084 432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe Token: SeDebugPrivilege 1508 servers.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1508 wrote to memory of 3404 1508 servers.exe 96 PID 1508 wrote to memory of 3404 1508 servers.exe 96 PID 1508 wrote to memory of 3404 1508 servers.exe 96 PID 1508 wrote to memory of 3404 1508 servers.exe 96 PID 1508 wrote to memory of 3404 1508 servers.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\432bb2e967e63a9e81fbb18e3fdf4fea_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2202⤵
- Program crash
PID:680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2282⤵
- Program crash
PID:4224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 50841⤵PID:852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5084 -ip 50841⤵PID:944
-
C:\Windows\servers.exeC:\Windows\servers.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 2162⤵
- Program crash
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 2242⤵
- Program crash
PID:1268
-
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe2⤵PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 123⤵
- Program crash
PID:3408
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1508 -ip 15081⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1508 -ip 15081⤵PID:1180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3404 -ip 34041⤵PID:536
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711KB
MD5432bb2e967e63a9e81fbb18e3fdf4fea
SHA1fe2f329bcf2523b7a38c5a8477c78ade8f28b517
SHA256c702ffd5f0abd3c624a68212fcc3f6b269c57a7032b17908a0c6f85a3c71cb7f
SHA51288361069a769862cfe48b38628ebf2f634c73819d20b8fc2ed15e47e442cbf45e54e25573248218aa1f3a64f83407e57c0f86c50f84a39fc5a7b6cc9c1b960b1