Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe
-
Size
56KB
-
MD5
e2c9c053a8ecbbee1ee3ab3a38223ff1
-
SHA1
de140d66f709865a7c08beff50128e148258851e
-
SHA256
0854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
-
SHA512
40e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3
-
SSDEEP
384:X5992T/rFfJOSsgLRPaY05OipIrdUWIU2Vi/0HrAeAlgIER/cDyMopPfQ3rH6kG3:X59yrj4g47IvxMIEQazE5AhXN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\System Volume Information\\_restore{5BF8436B-A928-4855-4F90-0F42F2E55AA3}\\RP0\\A0000001.exe" bootconfig.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bootconfig.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" bootconfig.exe -
Executes dropped EXE 2 IoCs
pid Process 1136 bootconfig.exe 1980 bootconfig.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" bootconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" bootconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Confg = "C:\\Windows\\SYSTEM32\\bootconfig.exe" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\(Default) = "C:\\System Volume Information\\(Default).vbs" e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Multimedia = "C:\\Windows\\windebug.exe" bootconfig.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: bootconfig.exe File opened (read-only) \??\o: bootconfig.exe File opened (read-only) \??\p: bootconfig.exe File opened (read-only) \??\y: bootconfig.exe File opened (read-only) \??\z: bootconfig.exe File opened (read-only) \??\h: bootconfig.exe File opened (read-only) \??\i: bootconfig.exe File opened (read-only) \??\t: bootconfig.exe File opened (read-only) \??\v: bootconfig.exe File opened (read-only) \??\e: bootconfig.exe File opened (read-only) \??\k: bootconfig.exe File opened (read-only) \??\l: bootconfig.exe File opened (read-only) \??\n: bootconfig.exe File opened (read-only) \??\r: bootconfig.exe File opened (read-only) \??\u: bootconfig.exe File opened (read-only) \??\x: bootconfig.exe File opened (read-only) \??\g: bootconfig.exe File opened (read-only) \??\q: bootconfig.exe File opened (read-only) \??\s: bootconfig.exe File opened (read-only) \??\w: bootconfig.exe File opened (read-only) \??\j: bootconfig.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\bootconfig.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bootconfig.exe bootconfig.exe File opened for modification C:\Windows\SysWOW64\bootconfig.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\windebug.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File created C:\Windows\windebug.exe e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe File opened for modification C:\Windows\windebug.exe bootconfig.exe File created C:\Windows\windebug.exe bootconfig.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2992 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 1136 bootconfig.exe 1980 bootconfig.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1136 2992 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 92 PID 2992 wrote to memory of 1136 2992 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 92 PID 2992 wrote to memory of 1136 2992 e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe 92 PID 1136 wrote to memory of 1980 1136 bootconfig.exe 96 PID 1136 wrote to memory of 1980 1136 bootconfig.exe 96 PID 1136 wrote to memory of 1980 1136 bootconfig.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2c9c053a8ecbbee1ee3ab3a38223ff1_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\bootconfig.exeC:\Windows\SYSTEM32\bootconfig.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\bootconfig.exeC:\Windows\SYSTEM32\bootconfig.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5e2c9c053a8ecbbee1ee3ab3a38223ff1
SHA1de140d66f709865a7c08beff50128e148258851e
SHA2560854402a5f5c134b28a963677bf101f4783d0832e35aa4c98a005a54c623b981
SHA51240e3c6c462c595524c492a8fcbb51e1b5e8f1e0b0212735c8e6672f3fab7874d8e641358d14ad2f3f519164ce9006885d9da38e194ef0f0e88b6ef2d52899bb3