Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe
-
Size
24KB
-
MD5
499de033296b91bb87a8d7d043b929b0
-
SHA1
f0094815d31f8912f4aa582689696fda7c1e16d4
-
SHA256
331c0b59e82feb04a7c4fc326b5a49f53738aec7ff4158d74f338e122c1f40d9
-
SHA512
12119f23ba7b22f7710bff7896b8241ffcc88e165e2cfaa75cbd598175f47435367495117b40f52ec189ba7211bdf60066db7e88815c24ec557092a8a83484e3
-
SSDEEP
384:E3eVES+/xwGkRKJalM61qmTTMVF9/q5F0:bGS+ZfbJaO8qYoAK
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1424 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3316 ipconfig.exe 368 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1424 tasklist.exe Token: SeDebugPrivilege 368 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2996 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe 2996 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2996 wrote to memory of 1508 2996 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe 84 PID 2996 wrote to memory of 1508 2996 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe 84 PID 2996 wrote to memory of 1508 2996 499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe 84 PID 1508 wrote to memory of 2044 1508 cmd.exe 86 PID 1508 wrote to memory of 2044 1508 cmd.exe 86 PID 1508 wrote to memory of 2044 1508 cmd.exe 86 PID 1508 wrote to memory of 3316 1508 cmd.exe 87 PID 1508 wrote to memory of 3316 1508 cmd.exe 87 PID 1508 wrote to memory of 3316 1508 cmd.exe 87 PID 1508 wrote to memory of 1424 1508 cmd.exe 89 PID 1508 wrote to memory of 1424 1508 cmd.exe 89 PID 1508 wrote to memory of 1424 1508 cmd.exe 89 PID 1508 wrote to memory of 3044 1508 cmd.exe 92 PID 1508 wrote to memory of 3044 1508 cmd.exe 92 PID 1508 wrote to memory of 3044 1508 cmd.exe 92 PID 3044 wrote to memory of 3696 3044 net.exe 93 PID 3044 wrote to memory of 3696 3044 net.exe 93 PID 3044 wrote to memory of 3696 3044 net.exe 93 PID 1508 wrote to memory of 368 1508 cmd.exe 94 PID 1508 wrote to memory of 368 1508 cmd.exe 94 PID 1508 wrote to memory of 368 1508 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\499de033296b91bb87a8d7d043b929b0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2044
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:3316
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:3696
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5dd9467735ce3169973a01b545861a435
SHA16df1439e4ea98ff48507b14a6b45c563a84a3fe8
SHA2564d12da93501bdfee19f43ff152372306ccbf5b095d50dd34725c1eb5dff91917
SHA5129b7b61595a440419bc1f836494e11cd74eefb9057015a46029feda399a0bc628c352554f59ba236ca33099a8926f97ce5240678e082890e3586a34cb8b52ca21