Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 16:56
Static task
static1
Behavioral task
behavioral1
Sample
ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe
-
Size
361KB
-
MD5
ebc9244e86cc5318d09bf062c67084c2
-
SHA1
43cc09cd651af0d0ca4635385dfb4b796085cbda
-
SHA256
e39833957b0f9e99d6d2a4c6ce4c28c63f6b083fb5fdded4da7dd3f8eb1c7846
-
SHA512
afdf45dffb3ec3e18d9a9ce3368db16d9594afa8eaad90d7fd64ed90144331ec8021be4b72349f3d35ed76d1bb14dd81b30a8fc3c9abb1334da79bafb63ed9df
-
SSDEEP
6144:QGs4XwY/HPJ6xzJ44nDWgRAkPUfGQn8xID0DMF+soQWqFqEYXqZwGPmf34fuDpbb:U4XF/H0dJR3PUfGLxe0Dlsfxq5XH3ygb
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\bits.dll" server.exe -
Executes dropped EXE 1 IoCs
pid Process 4456 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\bits.dll server.exe File opened for modification C:\Windows\SysWOW64\bits.dll server.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 812 wrote to memory of 4456 812 ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe 82 PID 812 wrote to memory of 4456 812 ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe 82 PID 812 wrote to memory of 4456 812 ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebc9244e86cc5318d09bf062c67084c2_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD559efb24abe53baf9a725be4c73b368c3
SHA1e06fbac39bd52606666eef5aac2bd9a7e4247e5e
SHA256e3f9c3131045da00a6b53cbc183e32b755f2a1c0ad8ac5e30299a17ee734a1e1
SHA512f17222696c8d6b67a94427637ddaf4927c32c7adc017e73ad5ac7b6760114a65cadca31b469b0bd213208e38e2504e2faaefc148754c7578cbbfc6824373c490
-
Filesize
87KB
MD5e8b8836b71d6b542b06e016dc8b88e2d
SHA15ba23e4dbf17b0440474df801fa46d513f263741
SHA256f5ddaca68aaae1bf8a3753cb12785e19a2aba9fcb17b166a66f00a0e3995fd34
SHA5126a37f5d14c87b204d5041d86ae19046124f47ddd2b4a15e6bb4c74e9f1cbe5f4c53fc18e3c0118484197b81c705ddf4bc41be6edf813b37909627ad952857f5e