Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5a8968b14bc1e9c21add9021c89a2e2f
-
SHA1
49a84fab07f42639255ed6effdba70cc1e44aff1
-
SHA256
53e3a6c30a9afc46e68af8c105f43e199e139c422abb0e2bf0f51a6fb4c8ef48
-
SHA512
15f6d18cd2d240e376690a4a3dff637a22d0a5026caa2662c8a59373d7475a2bef8b4380f4d740ac0cc6eb90c0f11bb8703364fd282e8ae8b67fe9e3aaf6d728
-
SSDEEP
24576:fpN7TsakOkW14dL7CVDCDjtCuriUsYRbgaUyURZaAxvMGq3bvt/LfA:Hoaq44dL7C5mNRDMxvM3bl/E
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeSecurityPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeSystemtimePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeBackupPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeRestorePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeShutdownPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeDebugPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeUndockPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeManageVolumePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeImpersonatePrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: 33 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: 34 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe Token: 35 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2868 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2868 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2868 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2868 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 30 PID 1052 wrote to memory of 2784 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2784 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2784 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 31 PID 1052 wrote to memory of 2784 1052 5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a8968b14bc1e9c21add9021c89a2e2f_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:2868
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2784
-