Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 13:18
Behavioral task
behavioral1
Sample
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe
-
Size
124KB
-
MD5
e0433cbd5cbbcc60df0a814cc75b057b
-
SHA1
03c2fc3f3d2dc855960ed55f63b356c2db6b72d2
-
SHA256
9948310d250dacd1f19d2b80510e86dd0403146b3503abd5ef294672ecb66066
-
SHA512
2b4d476a181d17f002273a3ceee20c195ef0238bd9b31d3269c7741729198f091e175abe141f505109f7713deb9f6624e1ad4823c8eebea4fdf1782009f63172
-
SSDEEP
1536:qFDLNGB0Quqle7WJAjwcY7LtKnBDka58g0ApRHSIWXvpNQa9lq5cbrRIJx7w7hyg:qNL7nwxiO7LtKBQ2bjWXxr9EUrfCQJX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3156 netsh.exe -
Deletes itself 1 IoCs
pid Process 1048 lsass.exe -
Executes dropped EXE 2 IoCs
pid Process 2088 lsass.exe 1048 lsass.exe -
resource yara_rule behavioral2/memory/2120-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000b00000002347e-25.dat upx behavioral2/memory/2088-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-36-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\"" lsass.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2120 set thread context of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2088 set thread context of 1048 2088 lsass.exe 91 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 1048 lsass.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 2120 wrote to memory of 4548 2120 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 83 PID 4548 wrote to memory of 3156 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 88 PID 4548 wrote to memory of 3156 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 88 PID 4548 wrote to memory of 3156 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 88 PID 4548 wrote to memory of 2088 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 89 PID 4548 wrote to memory of 2088 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 89 PID 4548 wrote to memory of 2088 4548 e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe 89 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91 PID 2088 wrote to memory of 1048 2088 lsass.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\lsass.exe" CityScape Enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3156
-
-
C:\Users\Admin\AppData\Roaming\lsass.exe/d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Roaming\lsass.exeC:\Users\Admin\AppData\Roaming\lsass.exe /d C:\Users\Admin\AppData\Local\Temp\e0433cbd5cbbcc60df0a814cc75b057b_JaffaCakes118.exe4⤵
- Modifies WinLogon for persistence
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5f3d079d079bc923c8c52c15c97defc01
SHA12905e5e990ca4444a6295f2567f3453bd240afd4
SHA256a2ce3376897db911d68986bdb5540d634bbf0a812e0ade2881076687674374fc
SHA512cf244e3f43bfb7f8d25edcc478e1f8943c97acbbcf463e2543bd5c91fb735c74a5859212b758a876147bdd87143b280fd10e6d05d7e6d892fac4c3722bdab8fb