Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe
-
Size
324KB
-
MD5
fc101dd326c3d170efaaabdc42a610a0
-
SHA1
c0d054a57e97de962bb78b29d0b21b3dc99e7fee
-
SHA256
28580add41f33e2099027ae600a84122bedabf0324334834e165057233aa2e5d
-
SHA512
fe4e4733281af1cedbd36287c9a0646c1f9ec139c833a8b9cad9f24bbc319f33de4e8ad5e35d0f2a3a4c02c9bed23db3aa387b358060dc19a34783c9991ad201
-
SSDEEP
6144:W2gBgs+Nwat0XVr+6eUDd1wnaLfWEyOemkjNU1aTYONAcxbwOC8h5RdndVw+X0ot:wgs+Kat0XVr+6eUDd1kaLfWEyBmkjNUo
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4400 set thread context of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 1600 set thread context of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420357213" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E9572B2D-FED9-11EE-B9F7-D65EEEF40ABB} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3217273766" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101670" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3217273766" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3199773482" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101670" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3199773482" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101670" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe Token: SeDebugPrivilege 1292 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1124 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 1124 IEXPLORE.EXE 1124 IEXPLORE.EXE 1292 IEXPLORE.EXE 1292 IEXPLORE.EXE 1292 IEXPLORE.EXE 1292 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 4400 wrote to memory of 1600 4400 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 91 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 1600 wrote to memory of 4652 1600 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 92 PID 4652 wrote to memory of 2856 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 95 PID 4652 wrote to memory of 2856 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 95 PID 4652 wrote to memory of 2856 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 95 PID 2856 wrote to memory of 1124 2856 iexplore.exe 96 PID 2856 wrote to memory of 1124 2856 iexplore.exe 96 PID 1124 wrote to memory of 1292 1124 IEXPLORE.EXE 98 PID 1124 wrote to memory of 1292 1124 IEXPLORE.EXE 98 PID 1124 wrote to memory of 1292 1124 IEXPLORE.EXE 98 PID 4652 wrote to memory of 1292 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 98 PID 4652 wrote to memory of 1292 4652 fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc101dd326c3d170efaaabdc42a610a0_JaffaCakes118.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD54e981d0b7c38bdc36065b0244ef73c15
SHA1c9ec66cc6b2049c4801d9256cdf50bfa772227e8
SHA256ffde49ad889e401f6b4e5df21406b6bdee53635137333c4947f990013472d3e4
SHA512a77173d5b6759bf062a1a0766f7de0456958435b671ed4ca8dad2cc434b2a707d1cf0c3a6038886f7f5bbed030efff46028c7bd0b478f09a47283589b2851a30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5845b56a4d479074c8f7cdf332a1e694d
SHA18564477dea0eced1dec98de9f1b5ee74164b5bfe
SHA2569ff09bddcfcd36ed5458212302df53c72eb66ce67c23602874de7391a273bbd3
SHA51203c7816082c5c2f71ac8563d3d0444fddfe4d4714d298f225e443aba728e389c41a324ca4652d2d7818c2af1e2865a6984fb39f12ef563f3aa32593aaf0aa4c8
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee