Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 04:05
Static task
static1
Behavioral task
behavioral1
Sample
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
-
Size
994KB
-
MD5
fbe353546e6e4500b13204985f674417
-
SHA1
9b18b4cef1013c4a75792f4ea8d06b7bb752c290
-
SHA256
5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1
-
SHA512
d3db489225b6ecb39d93aeae7b40fd83d95d28d4f13c972b04d34dfa6abb05112114c90f3b9d1498388cf2bf56dd1f595a57317c4618a8076a1fe068fdb340d8
-
SSDEEP
12288:EHj4044T3b+mO2+sPQ3GWWJoOEqxEH2w2rnF8TN4Ho2I1D/+KH6R1/VxZaZBNjyy:M809T3/ixHWG72y2rnF8TKI2kMdxELNp
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET32C8.tmp fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File created C:\Windows\system32\DRIVERS\SET32C8.tmp fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File opened for modification C:\Windows\system32\DRIVERS\Mslmedia.sys fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Setupsti.log fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File opened for modification C:\Windows\hllog.txt fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3272 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeAuditPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeBackupPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreateTokenPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeLockMemoryPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSecurityPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeShutdownPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemtimePrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeTcbPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeMachineAccountPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeDebugPrivilege 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4192 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 86 PID 1852 wrote to memory of 4192 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 86 PID 1852 wrote to memory of 4192 1852 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 86 PID 4192 wrote to memory of 3272 4192 cmd.exe 89 PID 4192 wrote to memory of 3272 4192 cmd.exe 89 PID 4192 wrote to memory of 3272 4192 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\PING.EXEC:\Windows\system32\ping.exe 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD5f8bf2cff95a98e4c9c9c4f3b4b60f58c
SHA1cd06c7b3415ca56a6e2a937555655502d2ff1308
SHA2563d53cfb03d4aea581bda9c632a509039862d22ad2a9173d10ee8aea0b8b70920
SHA512cdcd7d6024cd125bc9969df3d5d7992618080db2ea07d84b795c1377943d7c9776ffd9be83ac58303768514d043a0c0379730713306d27ed4524424d2d0dc0a0
-
Filesize
22KB
MD59a78e22cc4623898b5b8908c40988529
SHA16f84342817c26d97cd9eb416ebea2f83509546cd
SHA2569a0e4e71448129e9f1585649ff76d317553a10723abab7216f6bea4a413db82a
SHA51288c3899adaf1d7e24dce564803141a9aa05035e29e238f47722d9233e6f352d5583b8d80fba471e842145246b9940bf37b9db06436ecf1a3f164b13b62b9373b