Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe
-
Size
269KB
-
MD5
74c024955091e32b0010ec26aa99e8c1
-
SHA1
f41200e2c925ae9db14116af91513f04beb8059a
-
SHA256
ecdb61cc66e07ccb661f6b8036f9d7094efae75eb6f107476821046dbb1e8d43
-
SHA512
0e5d50ceb1533a5320052a5b3808e586f74214c96a0a73e0a453672744caa5a587218cd61ec2b3bd17ea4b3792a22fda5e00a684dc1f27819064188cc83f529f
-
SSDEEP
6144:6IskMjgJENFzmFIhwmjxL1+vo5R30w0RqXsC8pKY2qsdX:6IsnnxCmPTpXTXszpKY2N9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4428 shark.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\shark.exe 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\shark.exe 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\shark.exe shark.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\UNINSTAL.BAT 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1944 4960 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4092 cmd.exe 4328 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe Token: SeDebugPrivilege 4428 shark.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4092 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 83 PID 4960 wrote to memory of 4092 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 83 PID 4960 wrote to memory of 4092 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 83 PID 4428 wrote to memory of 4328 4428 shark.exe 90 PID 4428 wrote to memory of 4328 4428 shark.exe 90 PID 4428 wrote to memory of 4328 4428 shark.exe 90 PID 4960 wrote to memory of 640 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 99 PID 4960 wrote to memory of 640 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 99 PID 4960 wrote to memory of 640 4960 74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\74c024955091e32b0010ec26aa99e8c1_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.execmd /c set date=%date% &&date 1987-1-1 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 6962⤵
- Program crash
PID:1944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT2⤵
- System Location Discovery: System Language Discovery
PID:640
-
-
C:\Windows\SysWOW64\shark.exeC:\Windows\SysWOW64\shark.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\cmd.execmd /c set date=%date% &&date 1987-1-1 &&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&ping 127.0.0.1&&date %date%2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4960 -ip 49601⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD574c024955091e32b0010ec26aa99e8c1
SHA1f41200e2c925ae9db14116af91513f04beb8059a
SHA256ecdb61cc66e07ccb661f6b8036f9d7094efae75eb6f107476821046dbb1e8d43
SHA5120e5d50ceb1533a5320052a5b3808e586f74214c96a0a73e0a453672744caa5a587218cd61ec2b3bd17ea4b3792a22fda5e00a684dc1f27819064188cc83f529f
-
Filesize
214B
MD5ca5247dd049a20608f14395aad087a4e
SHA13b2acecdeeb9132b44a5afd720fc11580fa0fb0e
SHA256189b685a7d6c2fa3f553641092543f5a43c047cf12489232b3a4f599ecc67187
SHA51211f81f43f2bfb50e2c8579b750abd2a1a8e46db3f9a93c79aacdf724fa2c058bcbdf61039e67f41ffbcb6fccc1bfcfdffff89f3aa95ded6ab06d1a95518d697a