Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe
-
Size
152KB
-
MD5
59f88dbf99d2b197ff22c4b4a5b4b8c5
-
SHA1
c06f0778690bf70cfaa2ad5c2c525edbe49c9181
-
SHA256
d7e991e0d403124d6a948bdd21eb675b54f935e5535519a508fd6431a1d735a8
-
SHA512
4abbbe8059f7bedba33f7f8cce13692bfd779f04b9f7ccf91e75c69c5b7667e205af5220ff274b8a13193fb85010aa81059ed152cb0da6b6eff72b0d48fd57e4
-
SSDEEP
3072:zXHzLFuwl8mHFKW+nTvW9Zf1vUADBHrAlgAt3kS:7HzLFuwl8mHQPiWADZs3kS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2680 netsh.exe -
resource yara_rule behavioral2/memory/4612-1-0x00000000023D0000-0x0000000003400000-memory.dmp upx behavioral2/memory/4612-3-0x00000000023D0000-0x0000000003400000-memory.dmp upx behavioral2/memory/4612-4-0x00000000023D0000-0x0000000003400000-memory.dmp upx behavioral2/memory/4612-8-0x00000000023D0000-0x0000000003400000-memory.dmp upx behavioral2/memory/4612-15-0x00000000023D0000-0x0000000003400000-memory.dmp upx behavioral2/memory/4612-16-0x00000000023D0000-0x0000000003400000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe Token: SeDebugPrivilege 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4612 wrote to memory of 768 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 8 PID 4612 wrote to memory of 776 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 9 PID 4612 wrote to memory of 336 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 13 PID 4612 wrote to memory of 2704 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 49 PID 4612 wrote to memory of 2736 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 50 PID 4612 wrote to memory of 3004 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 51 PID 4612 wrote to memory of 3476 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 56 PID 4612 wrote to memory of 3600 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 57 PID 4612 wrote to memory of 3784 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 58 PID 4612 wrote to memory of 3880 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 59 PID 4612 wrote to memory of 3984 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 60 PID 4612 wrote to memory of 4068 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 61 PID 4612 wrote to memory of 376 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 62 PID 4612 wrote to memory of 1200 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 74 PID 4612 wrote to memory of 4556 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 76 PID 4612 wrote to memory of 2672 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 81 PID 4612 wrote to memory of 4496 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 82 PID 4612 wrote to memory of 2680 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 84 PID 4612 wrote to memory of 2680 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 84 PID 4612 wrote to memory of 2680 4612 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2736
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3004
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\59f88dbf99d2b197ff22c4b4a5b4b8c5_JaffaCakes118.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4612 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2680
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:376
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1200
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4556
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4496
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1