Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 02:02
Behavioral task
behavioral1
Sample
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe
-
Size
409KB
-
MD5
65b77dc9bcc299eb6c89b7a634c923d7
-
SHA1
332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e
-
SHA256
24fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623
-
SHA512
aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5
-
SSDEEP
12288:DA4goYcLbiCwhCXfVjIzU8F3Ug9DO7hzm9ubK3rrE4GWHG4:DAtcLECXpIz1F3Rk2304GW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4368 Tkusya.exe -
resource yara_rule behavioral2/memory/4396-0-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/files/0x000b00000002341f-9.dat upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File created C:\Windows\Tkusya.exe 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File opened for modification C:\Windows\Tkusya.exe 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Tkusya.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Tkusya.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 31156 4368 WerFault.exe 89 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main Tkusya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe 4368 Tkusya.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4396 wrote to memory of 4368 4396 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 89 PID 4396 wrote to memory of 4368 4396 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 89 PID 4396 wrote to memory of 4368 4396 65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\65b77dc9bcc299eb6c89b7a634c923d7_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\Tkusya.exeC:\Windows\Tkusya.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 8323⤵
- Program crash
PID:31156
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 43681⤵PID:31160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390B
MD55f241503e5584c4d2c87080bec761660
SHA11ea014c73024bdafea895c68174ac33f48a6e9a8
SHA2565eab214b99b3d7316fe65b6ea42a6bc7f1251031e5a6c961092734da658bea28
SHA51225e570293fb5c224e428b79428b326dd6ebd105bb3945e30b3b336bfe22834e8b5de5cdeb06b269b4689615169d736625d652e032d3827860c89d53fc8e8f62a
-
Filesize
409KB
MD565b77dc9bcc299eb6c89b7a634c923d7
SHA1332deaaa6ffe33f5e7820a5d7ec9fd67e7b8395e
SHA25624fc182e430c1d3e140af10bce14ca417f912dc93de5f2d5aeaaa9708b6a2623
SHA512aeb4579f9f96cb3d4ce257558dbdf500c4ef192347952fae35bbb0c1f4fce470e5a1271d88fbc447482a7ddbb8dab85f5cfef2c620ed96c3af5f44759aa170d5