Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe
-
Size
112KB
-
MD5
4b5c15011162caa9163748758048c8c9
-
SHA1
283c30de200afb9c607203f9677771e351b8d625
-
SHA256
10d2a8c67ed0682d61a1178b3c9f6d021eee72e6444b31749e43feabe990851c
-
SHA512
360f14ecaf1abf528757db896927331be38f9bcdc49cb181d2438f67cb802f63d8630950b2f2791e0ce2a8748b56912ddac015cae614280ac3034907ae342dbc
-
SSDEEP
1536:95LO7C3P3CO9Lgl9hqC6z7nO14WPjFrJf:95eAP3COafwm1R
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-xyj-14d0-89bb-0090ce808666} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12345678-xyj-14d0-89bb-0090ce808666}\StubPath = "C:\\WINDOWS\\system32\\xyj.bat" regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 5064 svchost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\xyj.bat 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\sunxyj.bat 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\xyj.dll 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe File created C:\WINDOWS\SysWOW64\xyj.reg 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\system\svchost.exe 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2608 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3632 wrote to memory of 5064 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 83 PID 3632 wrote to memory of 5064 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 83 PID 3632 wrote to memory of 5064 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 83 PID 3632 wrote to memory of 4624 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 84 PID 3632 wrote to memory of 4624 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 84 PID 3632 wrote to memory of 4624 3632 4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe 84 PID 4624 wrote to memory of 2608 4624 cmd.exe 87 PID 4624 wrote to memory of 2608 4624 cmd.exe 87 PID 4624 wrote to memory of 2608 4624 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b5c15011162caa9163748758048c8c9_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\WINDOWS\system\svchost.exeC:\WINDOWS\system\svchost.exe2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\sunxyj.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s xyj.reg3⤵
- Boot or Logon Autostart Execution: Active Setup
- Runs .reg file with regedit
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5a5e1a8facc10b673d42e4bca6d007287
SHA1281a0d5319067f066455b0a0b9aa6c6492aec6d2
SHA256b2edc50f3a9a79032dde68bc5cd2491127a70488dc8bd539fbef4186e73bcb11
SHA512cec914883513ad1e5338ff985375a762d047e0992fa9d9aa6cd4e18e9dee3ae57da1cf70a9e2702f22fbddb9bda46ae459f6e6e9dd6391c21253e2924d40843c
-
Filesize
309B
MD579081c86f5fa286cb4465092a368fec5
SHA1a8eecb7150985c8bf945ec10257a7aa43869c3fd
SHA256267958578f32313ef5185714a6a85955c6dd52342a2cc1e36b9df240eeec0625
SHA512aa430d8bd1fa7789ad781f6456e03c57cf110ac03485b810a2332695776eb3434810dbaa92d7907f86127577e8cc622deb4a69f99a46b4aa6e359fd7e9b1f42a
-
Filesize
40KB
MD5f878619f7e8438ba39f23529a45d17d4
SHA1c69f80fa4489e376106b79d61c08cc97c00ef29f
SHA256f40ae7cdaf6b5201b39d6046fdb95bcacf4ba8059534306de2a947a8b9567ef1
SHA512a4f07159a15542ddee486081703649bf8fdc8dd5f4dbf6e80f29b0de6aa0a70ab74a90728a3f64333d65534cbe3b444ce9db823f5c2bcb6dc76f027297972ab0