Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 08:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe
-
Size
6.3MB
-
MD5
7340cb5d0035c78e8f3a630ae917b39b
-
SHA1
26fe1760506c6279c6fd4a779557146c858ba3d4
-
SHA256
6df75204e267f610904c481090ed5bdbafd788f4234f943a35bc67643527d63b
-
SHA512
530289a002ba16e59b4748eab6430da49394fdea43c75ededde9adc8f8191489129dce891b2f091cc9cb76b0657660387ed6fe27656ad67dc04a913ffd05e124
-
SSDEEP
98304:p9SBeaEG/VGiJwDhErzfz+9+A6LKSA/zlx/RH:7cean/VGiJmErzfzt+zl/
Score
1/10
Malware Config
Signatures
-
GoLang User-Agent 8 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 42 Go-http-client/1.1 HTTP User-Agent header 48 Go-http-client/1.1 HTTP User-Agent header 51 Go-http-client/1.1 HTTP User-Agent header 67 Go-http-client/1.1 HTTP User-Agent header 68 Go-http-client/1.1 HTTP User-Agent header 69 Go-http-client/1.1 HTTP User-Agent header 1 Go-http-client/1.1 HTTP User-Agent header 28 Go-http-client/1.1 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1416 wmic.exe Token: SeSecurityPrivilege 1416 wmic.exe Token: SeTakeOwnershipPrivilege 1416 wmic.exe Token: SeLoadDriverPrivilege 1416 wmic.exe Token: SeSystemProfilePrivilege 1416 wmic.exe Token: SeSystemtimePrivilege 1416 wmic.exe Token: SeProfSingleProcessPrivilege 1416 wmic.exe Token: SeIncBasePriorityPrivilege 1416 wmic.exe Token: SeCreatePagefilePrivilege 1416 wmic.exe Token: SeBackupPrivilege 1416 wmic.exe Token: SeRestorePrivilege 1416 wmic.exe Token: SeShutdownPrivilege 1416 wmic.exe Token: SeDebugPrivilege 1416 wmic.exe Token: SeSystemEnvironmentPrivilege 1416 wmic.exe Token: SeRemoteShutdownPrivilege 1416 wmic.exe Token: SeUndockPrivilege 1416 wmic.exe Token: SeManageVolumePrivilege 1416 wmic.exe Token: 33 1416 wmic.exe Token: 34 1416 wmic.exe Token: 35 1416 wmic.exe Token: 36 1416 wmic.exe Token: SeIncreaseQuotaPrivilege 1416 wmic.exe Token: SeSecurityPrivilege 1416 wmic.exe Token: SeTakeOwnershipPrivilege 1416 wmic.exe Token: SeLoadDriverPrivilege 1416 wmic.exe Token: SeSystemProfilePrivilege 1416 wmic.exe Token: SeSystemtimePrivilege 1416 wmic.exe Token: SeProfSingleProcessPrivilege 1416 wmic.exe Token: SeIncBasePriorityPrivilege 1416 wmic.exe Token: SeCreatePagefilePrivilege 1416 wmic.exe Token: SeBackupPrivilege 1416 wmic.exe Token: SeRestorePrivilege 1416 wmic.exe Token: SeShutdownPrivilege 1416 wmic.exe Token: SeDebugPrivilege 1416 wmic.exe Token: SeSystemEnvironmentPrivilege 1416 wmic.exe Token: SeRemoteShutdownPrivilege 1416 wmic.exe Token: SeUndockPrivilege 1416 wmic.exe Token: SeManageVolumePrivilege 1416 wmic.exe Token: 33 1416 wmic.exe Token: 34 1416 wmic.exe Token: 35 1416 wmic.exe Token: 36 1416 wmic.exe Token: SeIncreaseQuotaPrivilege 1592 wmic.exe Token: SeSecurityPrivilege 1592 wmic.exe Token: SeTakeOwnershipPrivilege 1592 wmic.exe Token: SeLoadDriverPrivilege 1592 wmic.exe Token: SeSystemProfilePrivilege 1592 wmic.exe Token: SeSystemtimePrivilege 1592 wmic.exe Token: SeProfSingleProcessPrivilege 1592 wmic.exe Token: SeIncBasePriorityPrivilege 1592 wmic.exe Token: SeCreatePagefilePrivilege 1592 wmic.exe Token: SeBackupPrivilege 1592 wmic.exe Token: SeRestorePrivilege 1592 wmic.exe Token: SeShutdownPrivilege 1592 wmic.exe Token: SeDebugPrivilege 1592 wmic.exe Token: SeSystemEnvironmentPrivilege 1592 wmic.exe Token: SeRemoteShutdownPrivilege 1592 wmic.exe Token: SeUndockPrivilege 1592 wmic.exe Token: SeManageVolumePrivilege 1592 wmic.exe Token: 33 1592 wmic.exe Token: 34 1592 wmic.exe Token: 35 1592 wmic.exe Token: 36 1592 wmic.exe Token: SeIncreaseQuotaPrivilege 1592 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 548 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 85 PID 4780 wrote to memory of 548 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 85 PID 4780 wrote to memory of 732 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 89 PID 4780 wrote to memory of 732 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 89 PID 4780 wrote to memory of 1416 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 90 PID 4780 wrote to memory of 1416 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 90 PID 4780 wrote to memory of 2296 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 92 PID 4780 wrote to memory of 2296 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 92 PID 4780 wrote to memory of 404 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 93 PID 4780 wrote to memory of 404 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 93 PID 4780 wrote to memory of 2912 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 101 PID 4780 wrote to memory of 2912 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 101 PID 4780 wrote to memory of 1592 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 102 PID 4780 wrote to memory of 1592 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 102 PID 4780 wrote to memory of 4864 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 103 PID 4780 wrote to memory of 4864 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 103 PID 4780 wrote to memory of 2024 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 104 PID 4780 wrote to memory of 2024 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 104 PID 4780 wrote to memory of 3084 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 108 PID 4780 wrote to memory of 3084 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 108 PID 4780 wrote to memory of 3304 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 109 PID 4780 wrote to memory of 3304 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 109 PID 4780 wrote to memory of 4352 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 110 PID 4780 wrote to memory of 4352 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 110 PID 4780 wrote to memory of 3428 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 111 PID 4780 wrote to memory of 3428 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 111 PID 4780 wrote to memory of 2908 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 112 PID 4780 wrote to memory of 2908 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 112 PID 4780 wrote to memory of 1416 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 113 PID 4780 wrote to memory of 1416 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 113 PID 4780 wrote to memory of 3756 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 114 PID 4780 wrote to memory of 3756 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 114 PID 4780 wrote to memory of 3908 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 115 PID 4780 wrote to memory of 3908 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 115 PID 4780 wrote to memory of 1656 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 117 PID 4780 wrote to memory of 1656 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 117 PID 4780 wrote to memory of 2656 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 118 PID 4780 wrote to memory of 2656 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 118 PID 4780 wrote to memory of 2724 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 119 PID 4780 wrote to memory of 2724 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 119 PID 4780 wrote to memory of 1760 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 120 PID 4780 wrote to memory of 1760 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 120 PID 4780 wrote to memory of 4296 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 129 PID 4780 wrote to memory of 4296 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 129 PID 4780 wrote to memory of 2868 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 130 PID 4780 wrote to memory of 2868 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 130 PID 4780 wrote to memory of 1436 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 131 PID 4780 wrote to memory of 1436 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 131 PID 4780 wrote to memory of 1028 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 132 PID 4780 wrote to memory of 1028 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 132 PID 4780 wrote to memory of 3672 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 133 PID 4780 wrote to memory of 3672 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 133 PID 4780 wrote to memory of 3796 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 134 PID 4780 wrote to memory of 3796 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 134 PID 4780 wrote to memory of 2220 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 135 PID 4780 wrote to memory of 2220 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 135 PID 4780 wrote to memory of 1384 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 136 PID 4780 wrote to memory of 1384 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 136 PID 4780 wrote to memory of 1140 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 140 PID 4780 wrote to memory of 1140 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 140 PID 4780 wrote to memory of 5024 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 141 PID 4780 wrote to memory of 5024 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 141 PID 4780 wrote to memory of 1808 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 142 PID 4780 wrote to memory of 1808 4780 7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe 142
Processes
-
C:\Users\Admin\AppData\Local\Temp\7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7340cb5d0035c78e8f3a630ae917b39b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\cmd.execmd /c "mkdir C:\PerfLog"2⤵PID:548
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:732
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:2296
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:404
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:2912
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:4864
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:2024
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:3084
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:3304
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:4352
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:3428
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:2908
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:1416
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:3908
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:1656
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:2656
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:2724
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:1760
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:4296
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:2868
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:1028
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:3672
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:3796
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:2220
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:1384
-
-
C:\Windows\system32\cmd.execmd /C "move Windown.exe C:\PerfLog\Windown.exe"2⤵PID:1140
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get name,executablepath2⤵PID:5024
-
-
C:\Windows\system32\findstr.exefindstr Windown.exe2⤵PID:1808
-
-
C:\Windows\system32\cmd.execmd /c "start /b C:\PerfLog\Windown.exe"2⤵PID:2752
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54631b80fb4d00f897aeea53fe54de1c1
SHA15d4eb7befed38d050a2b1adaa91de040a5beb9bf
SHA256d5e3078cb88ba53faa1d104c27054d2a8ff92665b4c02144f55489bf5c254016
SHA5121f1837a080939a6ee7876a8733bf9d074748ad8b1f907f5aa6588e2a80407e77e3272528a59c788b548e393256a4d396cb9266500c785ab538d03d60f645e3dd