Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe
-
Size
354KB
-
MD5
44b317f22e4f8b434457bd4e716ffcdf
-
SHA1
69178bd12b0cf4224fea5ddc0b4d4da450a9bab3
-
SHA256
9108997ed7a98a7abe8ff92f631c4a0d48ecebdaee9511707da9127a9ec55dcc
-
SHA512
7e9a0cedbdaadd36a8d40d7cc41e3a495d830db080229c9a3b155d4a9508edd5a0272819f96bb53b105f47562e5f065ff7a30edcc6afd02863ad055ac3320d7b
-
SSDEEP
6144:WiOgCOUoL9sewNglEO/JUYfxVc5Iv01RtazG3TpqRIjVCZFmrMD2u5LYeaszuQ:Tpso/+8Pc5IsWhKjAtD/5LraO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2056 eMkHfBf17902.exe -
Executes dropped EXE 1 IoCs
pid Process 2056 eMkHfBf17902.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eMkHfBf17902 = "C:\\ProgramData\\eMkHfBf17902\\eMkHfBf17902.exe" eMkHfBf17902.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main eMkHfBf17902.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 2056 eMkHfBf17902.exe 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe Token: SeDebugPrivilege 2056 eMkHfBf17902.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2056 eMkHfBf17902.exe 2056 eMkHfBf17902.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2056 eMkHfBf17902.exe 2056 eMkHfBf17902.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2056 eMkHfBf17902.exe 2056 eMkHfBf17902.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2056 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 29 PID 2536 wrote to memory of 2056 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 29 PID 2536 wrote to memory of 2056 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 29 PID 2536 wrote to memory of 2056 2536 44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\ProgramData\eMkHfBf17902\eMkHfBf17902.exe"C:\ProgramData\eMkHfBf17902\eMkHfBf17902.exe" "C:\Users\Admin\AppData\Local\Temp\44b317f22e4f8b434457bd4e716ffcdf_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354KB
MD5e2c920fab459fa9faf0b3dd0a3589b0a
SHA1dd965074b203b30f633ab6ba79cf307f7c637836
SHA2569adf81029ad302426978adb14ead34a311e72ccd127f25c466442053b01b206e
SHA512837ff90963cd7252564e678cff117c023864781981c843fc2aff532003344fe678945cf625420c65f0ca50ce92a5f424127d2d76a1b41c80a183ce72c6083737