Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
-
Size
260KB
-
MD5
5caa9ab24a9f71727407cf2b53fd50b3
-
SHA1
b9a3c1210ca5dcb20a7dbb5d715dded43b03d354
-
SHA256
0839ef2535c7ca36180a7c673ffc7b5551021e2de39fd26a8e2b1861cf706de9
-
SHA512
6e6bc7ed995e3b1311b730c33e08429fb03d13b225b1f66d6345cb4e3094d9b19452b9e4536fcb053dc7ca46f2a279f1742f6362ff1705657bd826d205832856
-
SSDEEP
6144:ajEDyVUtKq9o8BC2N6tdTTTbfxXuzJwGhrPN+:ZmVUtKq9o8BC2N6tdTTTbfxwmGhrF
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Program Files\\Common Files\\svchost.exe -s" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4336 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\svchost.exe svchost.exe File opened for modification C:\Program Files\Common Files\Shared.dll svchost.exe File opened for modification C:\Program Files\Common Files\log svchost.exe File opened for modification C:\Program Files\Common Files\log\MUEOAWXB svchost.exe File opened for modification C:\Program Files\Common Files\log\MUEOAWXB\20240719161029.cab.bak svchost.exe File created C:\Program Files\Common Files\svchost.exe 5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\drive.tlb svchost.exe File created C:\Program Files\Common Files\log\MUEOAWXB\20240719161029.cab.bak svchost.exe File created C:\Program Files\Common Files\log\MUEOAWXB\20240719161112.cab.bak svchost.exe File created C:\Program Files\Common Files\log\MUEOAWXB\20240719161122.cab.bak svchost.exe File created C:\Program Files\Common Files\log\MUEOAWXB\20240719161124.cab.bak svchost.exe File opened for modification C:\Program Files\Common Files\svchost.exe 5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\log svchost.exe File created C:\Windows\log\20240719161029.cab.bak svchost.exe File created C:\Windows\log\20240719161124.cab svchost.exe File created C:\Windows\log\20240719161122.cab svchost.exe File created C:\Windows\log\20240719161122.cab.bak svchost.exe File created C:\Windows\log\20240719161124.cab.bak svchost.exe File opened for modification C:\Windows\drive.ini svchost.exe File created C:\Windows\log\20240719161029.cab svchost.exe File created C:\Windows\log\20240719161112.cab svchost.exe File created C:\Windows\log\20240719161112.cab.bak svchost.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4388 ipconfig.exe 4472 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1872 systeminfo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4472 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4336 1996 5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe 84 PID 1996 wrote to memory of 4336 1996 5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe 84 PID 1996 wrote to memory of 4336 1996 5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe 84 PID 4336 wrote to memory of 448 4336 svchost.exe 85 PID 4336 wrote to memory of 448 4336 svchost.exe 85 PID 4336 wrote to memory of 448 4336 svchost.exe 85 PID 448 wrote to memory of 4388 448 cmd.exe 87 PID 448 wrote to memory of 4388 448 cmd.exe 87 PID 448 wrote to memory of 4388 448 cmd.exe 87 PID 4336 wrote to memory of 1464 4336 svchost.exe 88 PID 4336 wrote to memory of 1464 4336 svchost.exe 88 PID 4336 wrote to memory of 1464 4336 svchost.exe 88 PID 4336 wrote to memory of 2260 4336 svchost.exe 90 PID 4336 wrote to memory of 2260 4336 svchost.exe 90 PID 4336 wrote to memory of 2260 4336 svchost.exe 90 PID 2260 wrote to memory of 1872 2260 cmd.exe 92 PID 2260 wrote to memory of 1872 2260 cmd.exe 92 PID 2260 wrote to memory of 1872 2260 cmd.exe 92 PID 4336 wrote to memory of 1288 4336 svchost.exe 101 PID 4336 wrote to memory of 1288 4336 svchost.exe 101 PID 4336 wrote to memory of 1288 4336 svchost.exe 101 PID 1288 wrote to memory of 4472 1288 cmd.exe 103 PID 1288 wrote to memory of 4472 1288 cmd.exe 103 PID 1288 wrote to memory of 4472 1288 cmd.exe 103 PID 4336 wrote to memory of 1360 4336 svchost.exe 104 PID 4336 wrote to memory of 1360 4336 svchost.exe 104 PID 4336 wrote to memory of 1360 4336 svchost.exe 104 PID 4336 wrote to memory of 1752 4336 svchost.exe 112 PID 4336 wrote to memory of 1752 4336 svchost.exe 112 PID 4336 wrote to memory of 1752 4336 svchost.exe 112 PID 4336 wrote to memory of 4956 4336 svchost.exe 114 PID 4336 wrote to memory of 4956 4336 svchost.exe 114 PID 4336 wrote to memory of 4956 4336 svchost.exe 114 PID 4336 wrote to memory of 3420 4336 svchost.exe 116 PID 4336 wrote to memory of 3420 4336 svchost.exe 116 PID 4336 wrote to memory of 3420 4336 svchost.exe 116 PID 4336 wrote to memory of 5096 4336 svchost.exe 118 PID 4336 wrote to memory of 5096 4336 svchost.exe 118 PID 4336 wrote to memory of 5096 4336 svchost.exe 118 PID 4336 wrote to memory of 2200 4336 svchost.exe 120 PID 4336 wrote to memory of 2200 4336 svchost.exe 120 PID 4336 wrote to memory of 2200 4336 svchost.exe 120 PID 4336 wrote to memory of 1624 4336 svchost.exe 122 PID 4336 wrote to memory of 1624 4336 svchost.exe 122 PID 4336 wrote to memory of 1624 4336 svchost.exe 122 PID 4336 wrote to memory of 2276 4336 svchost.exe 124 PID 4336 wrote to memory of 2276 4336 svchost.exe 124 PID 4336 wrote to memory of 2276 4336 svchost.exe 124 PID 4336 wrote to memory of 4728 4336 svchost.exe 126 PID 4336 wrote to memory of 4728 4336 svchost.exe 126 PID 4336 wrote to memory of 4728 4336 svchost.exe 126 PID 4336 wrote to memory of 4192 4336 svchost.exe 128 PID 4336 wrote to memory of 4192 4336 svchost.exe 128 PID 4336 wrote to memory of 4192 4336 svchost.exe 128 PID 4336 wrote to memory of 1412 4336 svchost.exe 130 PID 4336 wrote to memory of 1412 4336 svchost.exe 130 PID 4336 wrote to memory of 1412 4336 svchost.exe 130 PID 4336 wrote to memory of 4652 4336 svchost.exe 132 PID 4336 wrote to memory of 4652 4336 svchost.exe 132 PID 4336 wrote to memory of 4652 4336 svchost.exe 132 PID 4336 wrote to memory of 956 4336 svchost.exe 134 PID 4336 wrote to memory of 956 4336 svchost.exe 134 PID 4336 wrote to memory of 956 4336 svchost.exe 134 PID 4336 wrote to memory of 3112 4336 svchost.exe 136
Processes
-
C:\Users\Admin\AppData\Local\Temp\5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files\Common Files\svchost.exe"C:\Program Files\Common Files\svchost.exe" -s2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\cmd.execmd /c ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:4388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c set >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:1464
-
-
C:\Windows\SysWOW64\cmd.execmd /c systeminfo >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netstat -na >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir C:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:1360
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir D:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir E:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4956
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir F:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:3420
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir G:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir H:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:2200
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir I:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:1624
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir J:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:2276
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir K:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4728
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir L:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4192
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir M:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:1412
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir N:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4652
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir O:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:956
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir P:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:3112
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Q:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4932
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir R:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:3956
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir S:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4052
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir T:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:3488
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir U:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4296
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir V:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4936
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir W:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir X:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:2196
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Y:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt3⤵PID:4356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD55caa9ab24a9f71727407cf2b53fd50b3
SHA1b9a3c1210ca5dcb20a7dbb5d715dded43b03d354
SHA2560839ef2535c7ca36180a7c673ffc7b5551021e2de39fd26a8e2b1861cf706de9
SHA5126e6bc7ed995e3b1311b730c33e08429fb03d13b225b1f66d6345cb4e3094d9b19452b9e4536fcb053dc7ca46f2a279f1742f6362ff1705657bd826d205832856
-
Filesize
2KB
MD5a35e48c72fd925be4f39a8f01821b91e
SHA1930f3704d2440c37ace5ac49a69a00608579a048
SHA2567920fa58a3162d2ae5715615f7ff7d8bf7ec224c5042f23de08f30f9310964d3
SHA512112b3ef728c61ddcd28d481571acbc2350a423077e2e1d5a70bf5bbf96655368f97dca1b1448827c0d81630a5773731648304a365cb91887a7f122595ef3aec3
-
Filesize
4KB
MD50d53aacc0136da11a257a60c2c0b6e2c
SHA116cb63f9f2c75ed171a6d45d7d4cd39c92d3f804
SHA256edca9d7fa81cb7491cc28f720718bafb5293fabcf95d021167573368d16a951b
SHA512038ba84469d4994c59fcc544be38d36722dc0a98e761b997beb3c888f899bb6ad50065fff49e4ea28e5c1a70fdaad089786cefec57f3074ced2f268f1f01ee06
-
Filesize
8KB
MD52428fab7e4cadc7cd563b071ab9d2463
SHA10e6d7a522acd1c259d4cd801773bf65c2d4ea06d
SHA256a913dd2db1056aacbca64d4778220077b16fbc1efc05c400fb78612857c0a6a5
SHA512fcca28afe78f755e0b039b94c3b027c773669f5d69d833d211e1878e43583c71ab68d3d51de885305f49b04211e9a7873cca4736132141ea71d4bae8870283dd
-
Filesize
37.3MB
MD574b54312274745e3294f4764fb19fd1a
SHA17947e4b9ab74a26591bc665ca677a6b1d8b24d5f
SHA256b2a73397d555726ef81c8005cb25096e023b216fdf5cc612785c5417d7668609
SHA512b2aa9e83863cf219e8d8afede6a8b41422d91e2af584d2fe8ec7e37a793b1f8bdc5e83c6e015d06179ea501aa7318b1f47f2f9680a86bc4516e4485bf6b85ebc
-
Filesize
49B
MD5d3955f3d6fde7978e1ff0e9bbefea4ee
SHA17c067fb93a616b26bf5b2cadf0dbbc4000805b6d
SHA2567db2f249e3cb6982872e103f1635b6f84960b4c704f0594693c684384d2e75c9
SHA51223a3aa6ebe4c7065c8c84cf4db54b97abaf3b76c53d0d3ea96c1c59f232b8f2aee3319a9621588991e228ee8079098332f21b81f2c5617edab2e23d60e7f53c8
-
Filesize
4.0MB
MD5ccfccb4fdbcdc4b7b5c40be6a77dac64
SHA1441d612ee7c28172134d29c7568175a9823c1446
SHA2561f5b2a4ddc9a51ab506dcdc3b0173e68582e7c69e2356df47953c3bf10fc9c1e
SHA512d344810900723ea48a0f1f3cae4826416b25916561bb9eed88a5e1307a1714e46e803e75a98c614cae93a7095cb1540185f027d185bdea34245c74e06703351d