Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
-
Size
606KB
-
MD5
f0badb4014d0e5a24ffbf4fcf269eb88
-
SHA1
e5f1633464f46d4d0aebb9e222d5883a4ceff3cf
-
SHA256
c01e5aaf7540b2117aabcbce7d07c18b89c1d86ff5e0e34d5422f3cd35a738a2
-
SHA512
af6c06dfbfd402cf1f5d475bf2a84c0ac4a1f1df60b56e95a533d77e770bfc6fa05bf80fd32d71f48c4afb99c05bb621a69e801be04eb7da86f483c65a8bf1b8
-
SSDEEP
12288:2OXXLhhs2XAFjgYZaOEOAHhly6T6ebnpSXVnf0U0SJvoqnuUD:ryTAVTVpu30SJvo+uU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2892 GetX64BTIT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{657BA90E-2DED-4410-B9B3-A59AB1F6F4BB}\\6815cdb9.exe" f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org 9 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3516 wrote to memory of 2892 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 90 PID 3516 wrote to memory of 2892 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 90 PID 3516 wrote to memory of 2456 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 77 PID 3516 wrote to memory of 3988 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 78 PID 3516 wrote to memory of 2448 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 79 PID 3516 wrote to memory of 2120 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 80 PID 3516 wrote to memory of 2824 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 81 PID 3516 wrote to memory of 3568 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 83 PID 3516 wrote to memory of 4912 3516 f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe 84 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99 PID 2456 wrote to memory of 4332 2456 msedge.exe 99
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x258,0x7ffe66152e98,0x7ffe66152ea4,0x7ffe66152eb02⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:22⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:32⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:82⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5308 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5572 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:12⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:82⤵PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
Filesize
28B
MD5235ed756c5323da2090ec4a5246f31ba
SHA1ce96c2d9e7d8d0f4c2d13220c320e718d82985c1
SHA256d1d100a089cfe26d8f0dc06f0bbb91d2207cd1f5cb79659dd17a05a09ecdc66e
SHA512f1ff71deea9dad8a66fafadd76690bbcfc77329ca87fc5f54fe84cb26cc14dceebaadec47762829f71b637523841ec787182997292035bffa737e0969f29b335