Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 12:17
Static task
static1
Behavioral task
behavioral1
Sample
e2862b0db8086616363beadf905badfd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2862b0db8086616363beadf905badfd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2862b0db8086616363beadf905badfd_JaffaCakes118.exe
-
Size
3.7MB
-
MD5
e2862b0db8086616363beadf905badfd
-
SHA1
a910facfc39fa958d4dbb4650f0f29a8c5dfaea6
-
SHA256
d20d4cfb2fde3e167446bc00b801c0c3a60ec9f9e8302c97ccc7b213e2430be3
-
SHA512
345980afe2839eb66f78b0f00fbf0e12872548d7496ef3e515387da15a2e9f81aec5adcc302f0f7794d9f8c0697f6fa84b0c236bcdf4f1fff59ae0fe49c8352e
-
SSDEEP
49152:qdPLfUMRe2fP5GAFya0MUkZP8xmN3Aek03noj45wlDTauKdGuEx8bCwLLH7J8:V2fP5GAAaukFeUJF3noxDOTGL0BD
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" e2862b0db8086616363beadf905badfd_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf e2862b0db8086616363beadf905badfd_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\jjs.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_pwa_launcher.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\BHO\ie_to_edge_stub.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateOnDemand.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeComRegisterShellARM64.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\BHO\ie_to_edge_stub.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_helper.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\serialver.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateCore.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe e2862b0db8086616363beadf905badfd_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf e2862b0db8086616363beadf905badfd_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3152 e2862b0db8086616363beadf905badfd_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2862b0db8086616363beadf905badfd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2862b0db8086616363beadf905badfd_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5336 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:81⤵PID:4624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5e2862b0db8086616363beadf905badfd
SHA1a910facfc39fa958d4dbb4650f0f29a8c5dfaea6
SHA256d20d4cfb2fde3e167446bc00b801c0c3a60ec9f9e8302c97ccc7b213e2430be3
SHA512345980afe2839eb66f78b0f00fbf0e12872548d7496ef3e515387da15a2e9f81aec5adcc302f0f7794d9f8c0697f6fa84b0c236bcdf4f1fff59ae0fe49c8352e