Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 18:04
Static task
static1
Behavioral task
behavioral1
Sample
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
-
Size
12KB
-
MD5
4acd0e56eef405eabbb4a564569a271a
-
SHA1
eadbc3a2deff7309466453d0dc0eb4309207dd95
-
SHA256
ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386
-
SHA512
9f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27
-
SSDEEP
384:izNVKpUpi24JkaLuR46IsdAKQ8ubGOoWk5:wGH3O6EPIs9OoWI
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\msupdate\ImagePath = "c:\\windows\\system32\\mssrv32.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2936 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\mssrv32.exe 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\mssrv32.exe 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3096 set thread context of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exec:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Sets service image path in registry
- Deletes itself
PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54acd0e56eef405eabbb4a564569a271a
SHA1eadbc3a2deff7309466453d0dc0eb4309207dd95
SHA256ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386
SHA5129f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27