Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 14:31
Static task
static1
Behavioral task
behavioral1
Sample
feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe
-
Size
87KB
-
MD5
feb99b74ebd5d413ee238de3478a9bd6
-
SHA1
7c8886fb640a3578bcd15040526a11436478ff8f
-
SHA256
7f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63
-
SHA512
65f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1
-
SSDEEP
1536:gMqbjyuQSgMgDxTi2ZfzAoswexmVEYjUd+YbWsEe2zVc89BvBjgNSc:9qGuQSgfl5b+Ojc+YWsEe2zVc89lB8NV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2904 Slave.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Slave.exe feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe File opened for modification C:\Windows\Slave.exe feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Slave.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeLockMemoryPrivilege 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Token: SeSecurityPrivilege 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Token: SeShutdownPrivilege 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Token: SeTcbPrivilege 4016 feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe Token: SeLockMemoryPrivilege 2904 Slave.exe Token: SeIncBasePriorityPrivilege 2904 Slave.exe Token: SeSecurityPrivilege 2904 Slave.exe Token: SeShutdownPrivilege 2904 Slave.exe Token: SeTcbPrivilege 2904 Slave.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe 2904 Slave.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\feb99b74ebd5d413ee238de3478a9bd6_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
C:\Windows\Slave.exeC:\Windows\Slave.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5feb99b74ebd5d413ee238de3478a9bd6
SHA17c8886fb640a3578bcd15040526a11436478ff8f
SHA2567f859a42db4bf2767c59b7ac74f4b529834d7e6d7fdba8796618e1b7281e5e63
SHA51265f0fa0bd03c3318dc8c9a047ebc24fd8fcc0d36054aa797fcfe42e707e2691350d498075c1a5940c4eaae3dfcb1e1c66997c07944ae143973e9054f148804c1
-
Filesize
563B
MD54189c426759265139dbb8e6f8e2b20f4
SHA1c5c7245e63affd191047c732a4dd12f8facbcea4
SHA2569f8531abccbf26599bc9ce2e1af640058c36894a976611c8535a1bceeb80b819
SHA51207f08a4b0dffc1632e9f29fd44ce911036c53f3e6c4b123ccde2f6976e99a22357f2352a69a65f5f353f741fa0a2ecbaafb2d5a5e587a3ae2cec37b4d8c01153