Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
672dc12a7e174c9d43c37da653ab2a73
-
SHA1
ee8e3be6d277e08414a4cfa1142578cdb46a5d66
-
SHA256
c5cd032f4ccc63d93b7b3eaa7810b7a86a21d3045fe96ad7d16134970fb25a87
-
SHA512
c6dfe29db13beccb5795369fbd7495db438cb8d33d1d35c884363e80504473ac2dc4f152ed55ac7a4bde2c5c804289b2594a2270e5298ceb44c44717a27c8469
-
SSDEEP
49152:Fi7aJUT6ABButyHO5E9NcP+vUObFDg2MtH/e0O7OOn:o7oUTNXN9yP+FFg/ZeJ7OO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3300 360O0K.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\360O0K.exe 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe File created C:\Windows\SysWOW64\360O0K.exe 360O0K.exe File created C:\Windows\SysWOW64\Deleteme.bat 360O0K.exe File created C:\Windows\SysWOW64\Deleteme.bat 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe File created C:\Windows\SysWOW64\360O0K.exe 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3548 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe 3300 360O0K.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3300 wrote to memory of 3900 3300 360O0K.exe 92 PID 3300 wrote to memory of 3900 3300 360O0K.exe 92 PID 3300 wrote to memory of 3900 3300 360O0K.exe 92 PID 3548 wrote to memory of 2708 3548 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe 94 PID 3548 wrote to memory of 2708 3548 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe 94 PID 3548 wrote to memory of 2708 3548 672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\672dc12a7e174c9d43c37da653ab2a73_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:2708
-
-
C:\Windows\SysWOW64\360O0K.exeC:\Windows\SysWOW64\360O0K.exe -NetSata1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:3900
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5672dc12a7e174c9d43c37da653ab2a73
SHA1ee8e3be6d277e08414a4cfa1142578cdb46a5d66
SHA256c5cd032f4ccc63d93b7b3eaa7810b7a86a21d3045fe96ad7d16134970fb25a87
SHA512c6dfe29db13beccb5795369fbd7495db438cb8d33d1d35c884363e80504473ac2dc4f152ed55ac7a4bde2c5c804289b2594a2270e5298ceb44c44717a27c8469
-
Filesize
104B
MD5839c9dbcd895d19dacd52121a0c23878
SHA15d231de1773db42fa1216dbb90361ec61bd4738e
SHA256c6be12ac39b9d0cf770b0f490db4fcb019afb196a51a50821efced21c08e8578
SHA512270f4a2bf75a4e5f8c182afd9f79a57b5f8e7c8c17ae39148bbe4a2ce4b55978abd12d4eee5d9c525da7d43ad395fc017e93d0018b8c199c18c9f0d4638286b3
-
Filesize
212B
MD59b681367f7172409f72a18f67a0f2a95
SHA1fa9900b596651bdd70d29917a1f3d581f2038654
SHA25624d72f4e538732037791fed185ad208ee5220c42a8687d8bfcb990fb16fcaa3b
SHA5121911bd8907c8d158caa67059c527017f8572161d8b63740ceb02b6e6093092c3f2186483d687b2977c1acdc89ac98d325186061ea533064c696669b8610d9a1d