Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
-
Size
120KB
-
MD5
46143d2dcb939fe3cce62ea2c8401aec
-
SHA1
6d9b033fc1571793a90f9e4d99305e3f137dd811
-
SHA256
c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
-
SHA512
00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560
-
SSDEEP
3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 436 snss.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\snss.lnk 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe File opened for modification C:\Windows\ff.bat 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe File created C:\Windows\snss.exe cmd.exe File opened for modification C:\Windows\snss.exe cmd.exe File opened for modification C:\Windows\snss1.exe 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 808 taskkill.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 4776 PING.EXE 4596 PING.EXE 1928 PING.EXE 1468 PING.EXE 2916 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 808 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1268 wrote to memory of 1684 1268 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 84 PID 1268 wrote to memory of 1684 1268 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 84 PID 1268 wrote to memory of 1684 1268 46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe 84 PID 1684 wrote to memory of 4776 1684 cmd.exe 86 PID 1684 wrote to memory of 4776 1684 cmd.exe 86 PID 1684 wrote to memory of 4776 1684 cmd.exe 86 PID 1684 wrote to memory of 4596 1684 cmd.exe 89 PID 1684 wrote to memory of 4596 1684 cmd.exe 89 PID 1684 wrote to memory of 4596 1684 cmd.exe 89 PID 1684 wrote to memory of 1928 1684 cmd.exe 90 PID 1684 wrote to memory of 1928 1684 cmd.exe 90 PID 1684 wrote to memory of 1928 1684 cmd.exe 90 PID 1684 wrote to memory of 1468 1684 cmd.exe 91 PID 1684 wrote to memory of 1468 1684 cmd.exe 91 PID 1684 wrote to memory of 1468 1684 cmd.exe 91 PID 1684 wrote to memory of 2916 1684 cmd.exe 92 PID 1684 wrote to memory of 2916 1684 cmd.exe 92 PID 1684 wrote to memory of 2916 1684 cmd.exe 92 PID 1684 wrote to memory of 808 1684 cmd.exe 93 PID 1684 wrote to memory of 808 1684 cmd.exe 93 PID 1684 wrote to memory of 808 1684 cmd.exe 93 PID 1684 wrote to memory of 436 1684 cmd.exe 95 PID 1684 wrote to memory of 436 1684 cmd.exe 95 PID 1684 wrote to memory of 436 1684 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\ff.bat2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4776
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4596
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1928
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1468
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im snss.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
C:\Windows\snss.exe"C:\Windows\snss.exe"3⤵
- Executes dropped EXE
PID:436
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
581B
MD5df0dcc0c8115b89296f85865537891c7
SHA1a107b1947f6095c984df2639f148d699cdf86b66
SHA25694d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020
SHA512870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73
-
Filesize
1KB
MD58370b2e0c1cb4e1b5db16168684ca13d
SHA1449fd15ff029621ef095bbdf6994276eb5afc8a1
SHA256e15b38b0b7a66399a6ae32dae6b1590e54f83eb5ca642f5e8b231dceb2cc10ff
SHA51252af3d0aff0745093aa839c412dbbe6789aa31b8548631073e4657aad9e7d5484b452830b187c76a9790000b378a8c0b019d24ed752d74b3a2bdea3c8d8f2da2
-
Filesize
120KB
MD546143d2dcb939fe3cce62ea2c8401aec
SHA16d9b033fc1571793a90f9e4d99305e3f137dd811
SHA256c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
SHA51200e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560