Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 09:36
Static task
static1
Behavioral task
behavioral1
Sample
fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Uninstall.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
Uninstall.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
register.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
register.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
-
Size
94KB
-
MD5
fc751a15219828b9113b4e65e0c297f8
-
SHA1
80600491c2ec6804a336d7c81360d234ed471fb0
-
SHA256
774a06ee0917bab638b98728742962cc11d409d5fc4f6ed5194a9c64a5f2cc2d
-
SHA512
719fd3509d65f05ca797e09733069cca9d33531b441124422db5a4dc61e82b8ef53a51f80a33d143533910a3877c83d8337240dda070277af891b527f21d9016
-
SSDEEP
1536:wAdSRwm/V4skJaw/Z4Rofy+fRkjTb5TnqY0rKFm070Ck5nGVvTqnqy9RlqGVv1:wyewmN4skJaU4ZBjX5TnqYCKFmlorqqI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2024 register.exe -
Unexpected DNS network traffic destination 52 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.116.69 Destination IP 85.255.112.110 Destination IP 85.255.116.69 -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\eqejf.exe register.exe File opened for modification C:\Windows\SysWOW64\eqejf.exe register.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2024 set thread context of 1800 2024 register.exe 92 PID 2024 set thread context of 3600 2024 register.exe 93 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\HQ Codec\register.exe fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe File created C:\Program Files (x86)\HQ Codec\register.exe fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 1648 ipconfig.exe 1956 ipconfig.exe 2856 ipconfig.exe 2816 ipconfig.exe 768 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2024 register.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2024 1184 fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe 91 PID 1184 wrote to memory of 2024 1184 fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe 91 PID 1184 wrote to memory of 2024 1184 fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe 91 PID 2024 wrote to memory of 1800 2024 register.exe 92 PID 2024 wrote to memory of 1800 2024 register.exe 92 PID 2024 wrote to memory of 1800 2024 register.exe 92 PID 2024 wrote to memory of 1800 2024 register.exe 92 PID 2024 wrote to memory of 3600 2024 register.exe 93 PID 2024 wrote to memory of 3600 2024 register.exe 93 PID 2024 wrote to memory of 3600 2024 register.exe 93 PID 2024 wrote to memory of 3600 2024 register.exe 93 PID 1800 wrote to memory of 768 1800 iexplore.exe 94 PID 1800 wrote to memory of 768 1800 iexplore.exe 94 PID 1800 wrote to memory of 768 1800 iexplore.exe 94 PID 1800 wrote to memory of 1648 1800 iexplore.exe 96 PID 1800 wrote to memory of 1648 1800 iexplore.exe 96 PID 1800 wrote to memory of 1648 1800 iexplore.exe 96 PID 1800 wrote to memory of 1956 1800 iexplore.exe 97 PID 1800 wrote to memory of 1956 1800 iexplore.exe 97 PID 1800 wrote to memory of 1956 1800 iexplore.exe 97 PID 1800 wrote to memory of 2856 1800 iexplore.exe 100 PID 1800 wrote to memory of 2856 1800 iexplore.exe 100 PID 1800 wrote to memory of 2856 1800 iexplore.exe 100 PID 1800 wrote to memory of 2816 1800 iexplore.exe 102 PID 1800 wrote to memory of 2816 1800 iexplore.exe 102 PID 1800 wrote to memory of 2816 1800 iexplore.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files (x86)\HQ Codec\register.exeregister.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns4⤵
- Gathers network information
PID:768
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /registerdns4⤵
- Gathers network information
PID:1648
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /dnsflush4⤵
- Gathers network information
PID:1956
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /renew4⤵
- Gathers network information
PID:2856
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /renew_all4⤵
- Gathers network information
PID:2816
-
-
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe3⤵PID:3600
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:1640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD51d95755ffcfc57da3b9c32ff5fdb6934
SHA1c8a33a7b3394c1b4a0ba04d68b07579d711274b3
SHA25694779bc3bd7e5a2a284a4839bd3b7a18bb59527d88b1d57b0f547eae67360fcc
SHA5126d17f5a263699b683232f5f6b3c769a88e7c917e55bfbd89d0b847259340ff86d7e0ba36f3dac27c56a01ea4015b80607bc04b22de4b19aa1dde8af895a1324a