Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
a2878091b69a865d300a707123d96a40_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a2878091b69a865d300a707123d96a40_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a2878091b69a865d300a707123d96a40_JaffaCakes118.exe
-
Size
19KB
-
MD5
a2878091b69a865d300a707123d96a40
-
SHA1
660e93f30d941ebc8fdf154882f29abd91472e53
-
SHA256
68faff9c4e6c792edafd8392ea0c4a4d1f890793b3305a87a6ef0c618caa19bd
-
SHA512
9d3c374231401c549e4454cb12c718e097bb6d0049f4e0320195b681523426dc9afc5a91c9f2238aeb46aba4fdf0888b33c39f620742e1f00e466c7e5b13f564
-
SSDEEP
384:T8hKz78lvSiMjtQxCkVpnq3hUOJ7rCa/weglb22WN:Txz7gvS3QxC0pqxUO5YemxWN
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys a2878091b69a865d300a707123d96a40_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\beep.sys a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dllcache\beep.sys a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4948 3956 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 11 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe Token: SeDebugPrivilege 3956 a2878091b69a865d300a707123d96a40_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2878091b69a865d300a707123d96a40_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2878091b69a865d300a707123d96a40_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5442⤵
- Program crash
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:81⤵PID:5108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3956 -ip 39561⤵PID:3648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD52c38fa020303e72e76dee7b902fa457b
SHA1eb336a580dbdd3292a70ee6128cdb40c89fe3acc
SHA256eacbea5339b68f499f30452c66e1db313b9d086d41d8fc443b3ad17706701c7e
SHA512d08cffd3394fd41f7dd8bb112897d58a2f48bc7fbb046d3a92b31ea96ab013e54a1a537403e498463669dbacd309cdc09224a6e0e5c07daf8d4f863d2beb2a32
-
Filesize
10KB
MD547719e94a415c8df20535cf0c6f3f196
SHA19ded7777ecbe47419a4fbc2f8a0e8f6078451c63
SHA256f33be11cf95312f161bc63bbc675897f04f0a43807e9f82ef1c9c05d55b2a4f7
SHA51235c59d5276118073738fb5ea53f3325d4c00cce0e9296ec74ce25417486a7ac43f19acc30fd8cb0ffc9b1e7269091f370f6949d68563de18b1c05928b06a8670