Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
422511d31784711ac906260eb82466aa_JaffaCakes118.exe
-
Size
330KB
-
MD5
422511d31784711ac906260eb82466aa
-
SHA1
7e532e67c04c5d1abd64f7d56a55c61e301dac55
-
SHA256
0aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8
-
SHA512
01ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e
-
SSDEEP
6144:VBEN8cPuxcV4xohBKas3Rb9ixTuQp4vmk/hXtvg+yi9FLQjb2Z:VBExPu642shbUxlp+jRtvWi9NmaZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4252 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 422511d31784711ac906260eb82466aa_JaffaCakes118.exe File opened for modification C:\Windows\Hacker.com.cn.exe 422511d31784711ac906260eb82466aa_JaffaCakes118.exe File created C:\Windows\uninstal.bat 422511d31784711ac906260eb82466aa_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422511d31784711ac906260eb82466aa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacker.com.cn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2272 422511d31784711ac906260eb82466aa_JaffaCakes118.exe Token: SeDebugPrivilege 4252 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4252 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4252 wrote to memory of 3856 4252 Hacker.com.cn.exe 87 PID 4252 wrote to memory of 3856 4252 Hacker.com.cn.exe 87 PID 2272 wrote to memory of 4296 2272 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 88 PID 2272 wrote to memory of 4296 2272 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 88 PID 2272 wrote to memory of 4296 2272 422511d31784711ac906260eb82466aa_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\422511d31784711ac906260eb82466aa_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵
- System Location Discovery: System Language Discovery
PID:4296
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
330KB
MD5422511d31784711ac906260eb82466aa
SHA17e532e67c04c5d1abd64f7d56a55c61e301dac55
SHA2560aaaacba440e3b7238cd8a6e139e77566e9f6c801291b7bfb92cd2aab87abbd8
SHA51201ab8120e539e9d01ea6c5acb63f1cdd849a9b086eae470f21e940923e3832b0bd60072b74e36211e182a0e2a887656cff01294cc449a525527bc375cbe3a51e
-
Filesize
218B
MD5a3f4f78a20fd78f95fa16e29e3051a33
SHA10a88f61e47cb23569e757a6ea71c4a2b673a8a8b
SHA2562a13dc6cc63d6fc4504f03689d80c765d69ef6fa64f6d4fea9946974729b10cc
SHA5129a8e5a4c266c08c81e7e15afcfbf05e313a65528624630fe786c315dedf3906e2d9db616299fe706f3e0e3c6ac604d770caffa919169696138091aea8deb4989