Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 18:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe
-
Size
12KB
-
MD5
4acd0e56eef405eabbb4a564569a271a
-
SHA1
eadbc3a2deff7309466453d0dc0eb4309207dd95
-
SHA256
ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386
-
SHA512
9f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27
-
SSDEEP
384:izNVKpUpi24JkaLuR46IsdAKQ8ubGOoWk5:wGH3O6EPIs9OoWI
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\msupdate\ImagePath = "c:\\windows\\system32\\mssrv32.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2936 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\mssrv32.exe 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\mssrv32.exe 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3096 set thread context of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 444 wrote to memory of 3096 444 4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe 85 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87 PID 3096 wrote to memory of 2936 3096 4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4acd0e56eef405eabbb4a564569a271a_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exec:\users\admin\appdata\local\temp\4acd0e56eef405eabbb4a564569a271a_jaffacakes118.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Sets service image path in registry
- Deletes itself
PID:2936
-
-
Network
-
Remote address:8.8.8.8:53Requestddosmanager.orgIN AResponse
-
Remote address:8.8.8.8:53Requestddosmanager.orgIN AResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request227.143.123.92.in-addr.arpaIN PTRResponse227.143.123.92.in-addr.arpaIN PTRa92-123-143-227deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request147.142.123.92.in-addr.arpaIN PTRResponse147.142.123.92.in-addr.arpaIN PTRa92-123-142-147deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request20.210.23.2.in-addr.arpaIN PTRResponse20.210.23.2.in-addr.arpaIN PTRa2-23-210-20deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
122 B 286 B 2 2
DNS Request
ddosmanager.org
DNS Request
ddosmanager.org
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
227.143.123.92.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
147.142.123.92.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
20.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54acd0e56eef405eabbb4a564569a271a
SHA1eadbc3a2deff7309466453d0dc0eb4309207dd95
SHA256ac4847a294868161b51a036c60b1aba13db69cd65099197026e7487aeab0a386
SHA5129f8006d131ef97140cfaf82dbf7908377894949b19bcf5c3def0f6ae7846113456664eac15ea4c3f9b630cca4d9b693172d65edd03a7deb34e881b5b86b7bd27