Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe
-
Size
455KB
-
MD5
f3e0c97a1e0e64bc94507da8c33c0c3c
-
SHA1
cfa9da0e05afa966ea867fb02ea6e730d2cf5bcc
-
SHA256
62b47f108b808d73be93bd323710a63252697d465701ac0e591a3b162fac2a10
-
SHA512
2102a82fba5628997b7d9cf06e252dd22cdbac143fa0e7da9b6d19c49901a58e4e0802653b2b8e788aa340d0929a2a21613dc1415054afce2199285cb352ec55
-
SSDEEP
12288:B5hV+0nRiW4SdUzWAenWRHcfoQwYl4Kb+YdoGP:B5hV+0nRiMHnWRHcfs64Kb+IoGP
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2328 Logo1_.exe 4756 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe File created C:\Windows\virDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe 2328 Logo1_.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2540 wrote to memory of 3744 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 85 PID 2540 wrote to memory of 3744 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 85 PID 2540 wrote to memory of 3744 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 85 PID 2540 wrote to memory of 2328 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 86 PID 2540 wrote to memory of 2328 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 86 PID 2540 wrote to memory of 2328 2540 f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe 86 PID 2328 wrote to memory of 3512 2328 Logo1_.exe 56 PID 2328 wrote to memory of 3512 2328 Logo1_.exe 56 PID 3744 wrote to memory of 4756 3744 cmd.exe 88 PID 3744 wrote to memory of 4756 3744 cmd.exe 88
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3057.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3e0c97a1e0e64bc94507da8c33c0c3c_JaffaCakes118.exe"4⤵
- Executes dropped EXE
PID:4756
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD593c64775b0da3dc767d434755e8804e9
SHA1b792daf10bad3aa77410925abe69bca39ca25030
SHA2562b0101a133e7319a1c82d89d67fc69ea3928e1c536e99bda7912c1f89a59ae22
SHA512cefb375d5cb603bb3f1c8f6911df30d02362f0e198051eacf8be98370bb903ca4e29596b8d4200baa8e4feb27cb630cfb7a80cdea144e248fc0b36439af1a7ed
-
Filesize
614B
MD5116dfc414ad9cfbe5a2dcc4a95793809
SHA1d10a4cd7cf5a98e92bb5c6a031162d80c9e44efa
SHA256e9113a14c52583e49610d347b0de60296e89ac31cf5857d4b964a90012c47515
SHA51221838f8d884a8fee84f6107ebe11333b70a302cf1ced6786338402a7ff574c8a20e10fe9bb55c93c8b4c4ce6835dccbef3001b60104146ed54f8798e34c84852
-
Filesize
397KB
MD55bbe43a54b8facc512f295204bcc6500
SHA1f120f40a14a02760a4fd01406fd7d1deaf0c4cd9
SHA256bf66dd32c448f5e80506c8cc9655dec8683f6047f998b0957f4660fc82668e10
SHA512373a04f76073a8b3d65459e2aeccf0a83f96cc299d17a04fd5ccbfb9446e23e0842f2dcffa8335d34e664eb59f16ffe2138e5297f2e1b0dcb54ca0b0ca9dfafc
-
Filesize
58KB
MD557bd08d8c6a16851a4afd0d8721b761b
SHA1c5cddfe47144ef3894b5a8c79223d517caeaa6eb
SHA256718ca7af3c380624a309ed03974e1f5bd6b37fd51f0c94426d2a068340842a40
SHA5126ede6d4b40b5aff48a7c5e04e7eb467a7afad2866f949e0568dfd40f2371da7ecbd492cb780a4d22b61798b7e1ee319fedd17efb506b329cdb6cd1807c680044