Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe
-
Size
48KB
-
MD5
e2c3b7f7c00a530129b4a6ca45c121f6
-
SHA1
298e23a73a15a70826d11eb0842e4b0729c0e5a3
-
SHA256
b794d301da1dd4bcec3ea2911e9ccaffc96dce8e6ba3b279dd96dcfb4b622034
-
SHA512
29592741c1ac3e48d20db04ed34b282289d734c647e382e11fdd41d96ca4bdf060829327337c40db9972f4ac3c822567ea875cf997a8a5dae00c85735cf265e7
-
SSDEEP
768:/4OZ8qZjU9RLtUPmCEgfWrGyaQ6sQr+8hqOrlLLRhC6SwuWrwt:/4OZ8qZjU/L+zjfW9T7Qi0/RYDwult
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4484 winlogon.exe 3284 winlogon.exe 4728 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4484 winlogon.exe -
resource yara_rule behavioral2/memory/4368-22-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4368-25-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4368-26-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4368-27-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-77-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-78-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-79-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-80-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-81-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-82-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-83-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-84-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-85-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-86-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-87-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-88-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-89-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4728-90-0x0000000000400000-0x0000000000412000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Live Guards = "C:\\Program Files (x86)\\winlogon.exe" winlogon.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3548 set thread context of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 2520 set thread context of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 4484 set thread context of 3284 4484 winlogon.exe 99 PID 3284 set thread context of 4728 3284 winlogon.exe 101 -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\ICQ\Shared Files\ winlogon.exe File created C:\Program Files\Grokster\My Grokster\ winlogon.exe File opened for modification C:\Program Files (x86)\winlogon.exe e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\winlogon.exe winlogon.exe File created C:\Program Files\Morpheus\My Shared Folder\ winlogon.exe File created C:\Program Files\BearShare\Shared\ winlogon.exe File created C:\Program Files (x86)\winlogon.exe e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe File created C:\Program Files\LimeWire\Shared winlogon.exe File created C:\Program Files\eDonkey2000\incoming winlogon.exe File created C:\Program Files\KAZAA winlogon.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4932 2520 WerFault.exe 91 3472 3284 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4728 winlogon.exe 4728 winlogon.exe 4728 winlogon.exe 4728 winlogon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 4484 winlogon.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 3548 wrote to memory of 2520 3548 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 91 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 2520 wrote to memory of 4368 2520 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 93 PID 4368 wrote to memory of 4484 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 98 PID 4368 wrote to memory of 4484 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 98 PID 4368 wrote to memory of 4484 4368 e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe 98 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 4484 wrote to memory of 3284 4484 winlogon.exe 99 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101 PID 3284 wrote to memory of 4728 3284 winlogon.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c3b7f7c00a530129b4a6ca45c121f6_JaffaCakes118.exe"3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files (x86)\winlogon.exe"C:\Program Files (x86)\winlogon.exe"6⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 3446⤵
- Program crash
PID:3472
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 3443⤵
- Program crash
PID:4932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2520 -ip 25201⤵PID:2288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3284 -ip 32841⤵PID:4108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5356 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵PID:2968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5e2c3b7f7c00a530129b4a6ca45c121f6
SHA1298e23a73a15a70826d11eb0842e4b0729c0e5a3
SHA256b794d301da1dd4bcec3ea2911e9ccaffc96dce8e6ba3b279dd96dcfb4b622034
SHA51229592741c1ac3e48d20db04ed34b282289d734c647e382e11fdd41d96ca4bdf060829327337c40db9972f4ac3c822567ea875cf997a8a5dae00c85735cf265e7
-
Filesize
2KB
MD57d789ed47fe14ba828e907e46035499d
SHA17b5fe9025f5fffc1639c604b3784db333de2c459
SHA256b286ea5967864bdd4188e60d22830ebd92cedb7ba1f5119b313eb03b2b174a19
SHA512afc27bbc66b740d8dc8e82639ab1487d486e2fd002c21edfd78e791877569168906243048ee23e86a9cd1cd365579e279340221b9181d055b1334f90053d4541