Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
182s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
-
Size
23.5MB
-
MD5
7b6d02a459fdaa4caa1a5bf741c4bd42
-
SHA1
4eea45c22881a092ac7a8b0a5379076d5803e83e
-
SHA256
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
-
SHA512
d8d67ba37263832e7f7d0a945a04afe3d9cea24e78a2d82b00463a2ab575ddb0b53f020c9967391c8469a831c3205f68d010d752a17419d7c2bb34ae8dc55384
-
SSDEEP
393216:zCTLRrqyYTljCQppkgSGlNoggc7k18J1unrY+M4ZtquYfZZrjMaDF1i:zCTLI3TZCQKGlZgc7k181W7fFOjMQ1i
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation NXTPKIENTS.tmp -
Executes dropped EXE 2 IoCs
pid Process 4304 NXTPKIENTS.exe 2332 NXTPKIENTS.tmp -
Loads dropped DLL 1 IoCs
pid Process 1248 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 8 IoCs
pid Process 1476 taskkill.exe 4556 taskkill.exe 2464 taskkill.exe 3296 taskkill.exe 4528 taskkill.exe 1696 taskkill.exe 1512 taskkill.exe 4492 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1248 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe 1320 powershell.exe 1320 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 4492 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 4556 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 3296 taskkill.exe Token: SeDebugPrivilege 4528 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1320 powershell.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1424 wrote to memory of 1136 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 86 PID 1424 wrote to memory of 1136 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 86 PID 1424 wrote to memory of 1248 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 90 PID 1424 wrote to memory of 1248 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 90 PID 1424 wrote to memory of 4304 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 93 PID 1424 wrote to memory of 4304 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 93 PID 1424 wrote to memory of 4304 1424 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 93 PID 4304 wrote to memory of 2332 4304 NXTPKIENTS.exe 96 PID 4304 wrote to memory of 2332 4304 NXTPKIENTS.exe 96 PID 4304 wrote to memory of 2332 4304 NXTPKIENTS.exe 96 PID 2332 wrote to memory of 1512 2332 NXTPKIENTS.tmp 98 PID 2332 wrote to memory of 1512 2332 NXTPKIENTS.tmp 98 PID 2332 wrote to memory of 1512 2332 NXTPKIENTS.tmp 98 PID 1248 wrote to memory of 1028 1248 rundll32.exe 100 PID 1248 wrote to memory of 1028 1248 rundll32.exe 100 PID 2332 wrote to memory of 4492 2332 NXTPKIENTS.tmp 102 PID 2332 wrote to memory of 4492 2332 NXTPKIENTS.tmp 102 PID 2332 wrote to memory of 4492 2332 NXTPKIENTS.tmp 102 PID 2332 wrote to memory of 1476 2332 NXTPKIENTS.tmp 104 PID 2332 wrote to memory of 1476 2332 NXTPKIENTS.tmp 104 PID 2332 wrote to memory of 1476 2332 NXTPKIENTS.tmp 104 PID 2332 wrote to memory of 4556 2332 NXTPKIENTS.tmp 106 PID 2332 wrote to memory of 4556 2332 NXTPKIENTS.tmp 106 PID 2332 wrote to memory of 4556 2332 NXTPKIENTS.tmp 106 PID 2332 wrote to memory of 2464 2332 NXTPKIENTS.tmp 109 PID 2332 wrote to memory of 2464 2332 NXTPKIENTS.tmp 109 PID 2332 wrote to memory of 2464 2332 NXTPKIENTS.tmp 109 PID 2332 wrote to memory of 3296 2332 NXTPKIENTS.tmp 111 PID 2332 wrote to memory of 3296 2332 NXTPKIENTS.tmp 111 PID 2332 wrote to memory of 3296 2332 NXTPKIENTS.tmp 111 PID 2332 wrote to memory of 4528 2332 NXTPKIENTS.tmp 113 PID 2332 wrote to memory of 4528 2332 NXTPKIENTS.tmp 113 PID 2332 wrote to memory of 4528 2332 NXTPKIENTS.tmp 113 PID 2332 wrote to memory of 1696 2332 NXTPKIENTS.tmp 116 PID 2332 wrote to memory of 1696 2332 NXTPKIENTS.tmp 116 PID 2332 wrote to memory of 1696 2332 NXTPKIENTS.tmp 116 PID 1248 wrote to memory of 4036 1248 rundll32.exe 123 PID 1248 wrote to memory of 4036 1248 rundll32.exe 123 PID 1248 wrote to memory of 1320 1248 rundll32.exe 124 PID 1248 wrote to memory of 1320 1248 rundll32.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FCFD.tmp.bat2⤵PID:1136
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Hancom\hc-c84a2fc2.png" limsjo2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"3⤵PID:1028
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"3⤵PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -File "C:\Users\Admin\.tmp\1893901399.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\is-VMUAI.tmp\NXTPKIENTS.tmp"C:\Users\Admin\AppData\Local\Temp\is-VMUAI.tmp\NXTPKIENTS.tmp" /SL5="$50186,6291726,231424,C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM iexplore.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM firefox.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM opera.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM safari.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM MicrosoftEdge.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msedge.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM NXTPKIENTSI.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD572beaa12f95e171e8bc2f716de35a088
SHA1f39b364171501349bd128ad91d860ad4e6d833ab
SHA256c2b41fccc51c0826e9539919549e48a2240f47cb2f6007634c6ea9fbaeb37f2b
SHA51209e553dc73a0f30f6d3e69c5dff8e568365ac7a02fcce2f3cfbeaecb6951857061ecbe75c632cb92dbb96a737835117f8c1d4110eb7b178e6c3304a12e8acfc1
-
Filesize
463B
MD5c97d151e0950665179889274b9744310
SHA169043e9ce2122b3fd498ca38bb464cf8500f6062
SHA256b2e82e0831743f1d84931c7008c74fa224f8f271164831afd582d3a2e434eef7
SHA51210354152e9ed31c6c628f2b14cdf77eb8963347f31e38674ea25142821096ddf72d3a599bdb63523ca2435930cb9dfa3c1af1e01131be11c89a1d18e73f46abd
-
Filesize
6.3MB
MD5eb8d073840e95cf24c9c3f5a2b6470e0
SHA12399567292f1e81630997fb4a151786d3e4938bb
SHA2560dd9aa5b650f519a55c96bf0dee73162d9ba510b60521780c34811de25cd7bb6
SHA5121347d8898b3e405c3de0ac90ea2880e215b745a58275b6ad8c027fa75c1f449949e7d77f820bb9bca445982b13c9f05f20ae6824445830ff7e65c71d12b18a8e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
871KB
MD5bba6e056a5595fd2d9b50cce5ce602a1
SHA11405ba0d049270b5013a8ce79c879c781a140245
SHA2565ac7e37459228cb19d9be74e24a4963c28222d8ed2665caa8857ba1c9105401a
SHA5125a9e86396355e0681b8d2e6c464dc3cb22e96ac6d2d1ededbd96c1de6c05eb2d943ced98985d6ff805d1a42dee256d91e4502edc0e4020f1e990224d5a4d9b05
-
Filesize
8.6MB
MD588f183304b99c897aacfa321d58e1840
SHA14a705f58918c00431de453d5b5f621fa42ff7169
SHA25661b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
SHA5128005d45f6b8321a3a925308c9f5683b868ad7f78cd37be619500d25a1ddd45d282d91ce8275300486c0397b4aefba78b9cd67d4cd50e763e3ca51dffc67c6115
-
Filesize
1B
MD54c761f170e016836ff84498202b99827
SHA1fb3c6e4de85bd9eae26fdc63e75f10a7f39e850e
SHA2567ace431cb61584cb9b8dc7ec08cf38ac0a2d649660be86d349fb43108b542fa4
SHA51219d147676eb275f0f0125762f223719fde9958859f5400cc34e2887b64a26d96c3c4f9d5c0fbbda48f22820d4415a68a4fdb99028b3ba19778873a7125e56477