Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 13:47

General

  • Target

    d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    d5671add722cdca65ce15f29600eec47

  • SHA1

    bc417c926569205a12204446b966d72ca199e73c

  • SHA256

    df112e32296232cbbee9e0da6b4d40659604b654de9f65500c97a7576c0a0060

  • SHA512

    78be8ed94fd2e18280a9f8fa43b85569f98548901b7f924f9b49e72576b9cfbf4a34b8c74124381615549f940e2ac9f36f969cb142c8c9475dd665e42aecff65

  • SSDEEP

    3072:h7//9yazxLySP4/LN/PCeSuwz2b4g3+40cLxucVyQU7g7a7/gt9+JzCTL8BbRSCc:hM3SPsZ/Pe2b/3EcLxuHF0mU9vA

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3292
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe0946f8,0x7ffcfe094708,0x7ffcfe094718
        3⤵
          PID:3196
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
          3⤵
            PID:4404
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4576
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
            3⤵
              PID:3224
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
              3⤵
                PID:1968
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                3⤵
                  PID:2248
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
                  3⤵
                    PID:3552
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3944 /prefetch:8
                    3⤵
                      PID:1556
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
                      3⤵
                        PID:1676
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2936
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
                        3⤵
                          PID:3092
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
                          3⤵
                            PID:2684
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                            3⤵
                              PID:2292
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                              3⤵
                                PID:4408
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
                                3⤵
                                  PID:4144
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                  3⤵
                                    PID:4292
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
                                    3⤵
                                      PID:5056
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7831899035857370423,112283535968569017,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
                                      3⤵
                                        PID:3508
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
                                      2⤵
                                        PID:4244
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfe0946f8,0x7ffcfe094708,0x7ffcfe094718
                                          3⤵
                                            PID:3252
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2680
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:4612
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x2f8 0x3d8
                                            1⤵
                                              PID:4268

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              1e3dc6a82a2cb341f7c9feeaf53f466f

                                              SHA1

                                              915decb72e1f86e14114f14ac9bfd9ba198fdfce

                                              SHA256

                                              a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

                                              SHA512

                                              0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              36bb45cb1262fcfcab1e3e7960784eaa

                                              SHA1

                                              ab0e15841b027632c9e1b0a47d3dec42162fc637

                                              SHA256

                                              7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

                                              SHA512

                                              02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              336B

                                              MD5

                                              a2bb060ead2c86daf186d283edf951dc

                                              SHA1

                                              074e76eb8690e48388eabd18501d5efcbb7b2295

                                              SHA256

                                              302931d3cbc458090c5715bc4f7b130fe9488c29f100f7630288903159342b4b

                                              SHA512

                                              af6722ff18f04020a405e56745a1ef1cf543898eac13ecccdb9f02c1eedaedc9193051f0054ae6200b794a4fd39f008afb41f2ffc086482926ac04549fc83132

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              1KB

                                              MD5

                                              1a3aada8fb1135fe3ea0adb0bc3584fc

                                              SHA1

                                              fba5a74bf6b488897a218d23b2671b14d31f24f0

                                              SHA256

                                              e850afa6cdad65d0e2b447eb9ee5dc3243fc6759fd62894144c2ab50221869d8

                                              SHA512

                                              e7e09d587e402f86eefc9c2581fa524586d03e2f9c02bfde46ca72046011960982fb4fd6c33af6dc55b0f1accc21266b969617171f8396675226802419a7407b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              b7459f0e8f4556e18628358b6b450f2c

                                              SHA1

                                              0bc9dceea486b007a0b3849a0fd8442e9d900552

                                              SHA256

                                              1564d26ab271b5f89b0b4f2560a50927c980e4e1d3a1548d0b5d004c61b1f8de

                                              SHA512

                                              6899cf6267cdb14b988c28ab8c5a8f88ca2c92252bd767ed89ef3104d5e63111d338259a2c23fc9d91390c75005185c957663cf8342f13e4a5bd9391d6036427

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              8c1aecc70555a24b0a7f1ec90f757415

                                              SHA1

                                              9f0fd97c80cf6d27571a53aaec8d80c00ffe1390

                                              SHA256

                                              c51e4112a82cb42013a0c88336705a449da34a5f326548c7d54f52719b14ce00

                                              SHA512

                                              73d400c873c1f761cfd5a8539b3296b41660cc572d9bc57af9869c6a9c9bfef33a5a108f991843733f4e3aa0cf27150f81f23fbe00150a78cd0c75d1cade7fa3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              e09574231d684cfd2ff32ea312e3d123

                                              SHA1

                                              d643395bb1feac96d1e6ff531b6d26fb0a15dac3

                                              SHA256

                                              6dd9169612d94c5995d87e0717e19be56f0a0e42b26437b8081d1c30c8e016d6

                                              SHA512

                                              cfa7c6953a473d0a44d121515011922e657993eedd8bdff097c3b01e61ec5c3e1c3919ec629756b9695767bb6560517235f40e3185410426441d0914e9a0aaf9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              e521f54ac1c22c2bd8c28067c2442650

                                              SHA1

                                              5ffb4fc6b9a11f90d1ab46a0b3231ccc18fd5918

                                              SHA256

                                              a50b5d58fc6ec5d79171eacaee1e219fa3ffc473913fb58a07633cf636592409

                                              SHA512

                                              ecd56a169dd9f2252a370bb9c2be740eafbb582605a0e65e9b199cd6994460ede4555df86a6541b7cf9bc6c6356bbb67884b9c106bccd01bdb5bb7ddb57e6e36

                                            • C:\Windows\setupact.log

                                              Filesize

                                              28KB

                                              MD5

                                              e220119657526d523f076fbdf3a549e3

                                              SHA1

                                              e6054638fe14818105d6cb6abddf43e33b83aba3

                                              SHA256

                                              6fc4890e1420179175cbdf0c6b16efe1eee5fb30d872500324f4a026abf2336a

                                              SHA512

                                              e5417081b3edaa51eae9f0d8e41345b760392a4e0d4a55e791435f0e0f74a9a48b195f864b89d68b26ca1fd38ef7658805f91a2018ac21521a475ed4a64b7301

                                            • C:\exc.exe

                                              Filesize

                                              204KB

                                              MD5

                                              568db59e343347b08312bf077fbd6cea

                                              SHA1

                                              6eb77e29fe2bd40a95b4a240d0b5aa785923a3df

                                              SHA256

                                              53d5e6c5e1af54323ab728d46d0ef47d378c0bc812ca4f2a1c5d8375eda24d03

                                              SHA512

                                              8bc9468b1cdb923317ee67da251530b108686d6dd1399826772f6c2e3e48a3ca502a7d5104cbb7aa004d37d14b20bd0c6ccb16fe8e6b2a364411ccc6fd5a3de4

                                            • memory/3292-591-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-0-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-111-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-97-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-1035-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-23-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/3292-9-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB