Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe
-
Size
38KB
-
MD5
5bf47ed55ca18de73c445849c97a4a83
-
SHA1
d5f3ce1425e1bdeb23a55d3c3cf9422b98e6fbf1
-
SHA256
00231c130c23fd1ca67b97a553fb8e1521f140cd23e491f6c9c933a3a9fc6ab9
-
SHA512
6acddc1d095b88489d6613225ebf491c679a7d523d4c2757c604d4fa7795bc9d31b94397a8139abd674914616938dde28bd257ea62a53645a80a0d4a67f9f63f
-
SSDEEP
768:zTfKEPzAb+XSDBY4UprWYz23CzIspM6Ak0anLQ:z7TyVMST3CsxHfanLQ
Malware Config
Signatures
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 178.162.181.106 Destination IP 178.162.181.106 Destination IP 178.162.181.106 Destination IP 178.162.181.106 Destination IP 178.162.181.106 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1168 set thread context of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\x0rfViYV7.com 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe File opened for modification C:\Windows\Fonts\x0rfViYV7.com 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2348 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 2348 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87 PID 1168 wrote to memory of 2348 1168 5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5bf47ed55ca18de73c445849c97a4a83_JaffaCakes118.exe2⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1860