Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 00:39
Static task
static1
Behavioral task
behavioral1
Sample
6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe
-
Size
305KB
-
MD5
6998e8909736fbdbc0d0e34d36ce17fb
-
SHA1
262471cb3b68a64f96685620b1462f53ac03c088
-
SHA256
3132bb867d42ed85143c47752cac9411a0ab1fe93e5d59460a671504ef38581d
-
SHA512
6e77ff2f717523b5652cfaa81d663843e2aa11ee7063c81fbe0d8ec0c87a12ffa6e6f7926a1d6a63213a5671b4a8382aaccfae2aaaa7780cce56ca014b66ccc2
-
SSDEEP
6144:rdu3Rce6mJ6m1Id6Qi5dskw8vYQt775ye+aa2nu/+oS:Ju3Se686oQ6Qi5d3wQt77m+oS
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys 6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4612 intel.exe -
Executes dropped EXE 1 IoCs
pid Process 4612 intel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4612 intel.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4612 wrote to memory of 3032 4612 intel.exe 88 PID 4612 wrote to memory of 3032 4612 intel.exe 88 PID 4612 wrote to memory of 3032 4612 intel.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6998e8909736fbdbc0d0e34d36ce17fb_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
PID:1304
-
C:\Program Files (x86)\intel\intel.exe"C:\Program Files (x86)\intel\intel.exe"1⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe" 790142⤵PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
305KB
MD56998e8909736fbdbc0d0e34d36ce17fb
SHA1262471cb3b68a64f96685620b1462f53ac03c088
SHA2563132bb867d42ed85143c47752cac9411a0ab1fe93e5d59460a671504ef38581d
SHA5126e77ff2f717523b5652cfaa81d663843e2aa11ee7063c81fbe0d8ec0c87a12ffa6e6f7926a1d6a63213a5671b4a8382aaccfae2aaaa7780cce56ca014b66ccc2