Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe
-
Size
48KB
-
MD5
608e4ce5e00445773fdee643da42718e
-
SHA1
d809931dc7d6c6f04a01ae10d38ee0ee86be53d1
-
SHA256
97c973dd448ba938539f9e0263b7108f13ca9f8734fff7c308a291f759b691f8
-
SHA512
80a9c153d96dbca1c55ca3870cccca5c54d15a77c0a96f487e780c9127c08000b9e47c00bf40164aa8fd7825eb82101f463199511435db4cf484de2ed27559de
-
SSDEEP
768:ascdOsLQ3H2+qgd4OYkKohyhlatrxuKTlkA8UuALt7aCbGX5/hcK65EfOpZ:1mQtCkKvXatrspPk1hKI15ZpZ
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 35 4212 rundll32.exe 37 4212 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 4212 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\awtrQJBS.dll,#1" rundll32.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nnnnKeeD.dll 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe File created C:\Windows\SysWOW64\nnnnKeeD.dll 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe File created C:\Windows\SysWOW64\awtrQJBS.dll 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\awtrQJBS.dll 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe File created C:\Windows\SysWOW64\vtUmNGaa.dll rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32\ = "C:\\Windows\\SysWow64\\awtrQJBS.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{70E5C213-45BC-4494-BA22-025EE7A38A42}\InprocServer32\ThreadingModel = "Both" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe 4212 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1732 wrote to memory of 612 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 5 PID 1732 wrote to memory of 4212 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 95 PID 1732 wrote to memory of 4212 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 95 PID 1732 wrote to memory of 4212 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 95 PID 1732 wrote to memory of 5008 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 96 PID 1732 wrote to memory of 5008 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 96 PID 1732 wrote to memory of 5008 1732 608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe 96 PID 4212 wrote to memory of 3880 4212 rundll32.exe 98 PID 4212 wrote to memory of 3880 4212 rundll32.exe 98 PID 4212 wrote to memory of 3880 4212 rundll32.exe 98
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\awtrQJBS.dll,a2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\vtUmNGaa.dll",s3⤵PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\removalfile.bat "C:\Users\Admin\AppData\Local\Temp\608e4ce5e00445773fdee643da42718e_JaffaCakes118.exe"2⤵PID:5008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD59a7ef09167a6f4433681b94351509043
SHA1259b1375ed8e84943ca1d42646bb416325c89e12
SHA256d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA51296b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df
-
Filesize
34KB
MD5c03da72257e3c41d39056605b01dbd61
SHA127dda6a3222759167f48e84c5b3c6686992df60b
SHA25608c3e4516fd54b2dc9c1c98509e003e8e238c89a363719cab657381511d4ce65
SHA51280e2061f3b13133b72d2909c687692505b0242802e95fbc7d21f1b5fb460610436cb53ec7e1d48cde31eb7407405bf99a5790de7c8acc9883287919ce7f8663c
-
Filesize
1KB
MD53c7214f692a36eac104629adbd630401
SHA1bc01b5bccd69d002b71be2682e186a8bbc5e1190
SHA256667714fe60873062ebba2348af1aab499de16330306c1cc2d2b8d3e223b2db25
SHA51204b5decd3e7fd7e85f44543e02f4057777fb7e58236007267748e9d111c2df2d4d88f85eca3374c84e363c266d20bc22428614b6bb443c2bd48f12f5ff38be2d