Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2024, 02:07
Behavioral task
behavioral1
Sample
fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe
Resource
win7-20240221-en
Errors
General
-
Target
fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe
-
Size
27KB
-
MD5
fe2e55553d1e268f12d027b629c130a5
-
SHA1
921006135f99fd61970217ae0ed02b347c10e8f7
-
SHA256
888dc10b372b04d9b39262d49a71f364521a98709da0fd279f985d316b7020f8
-
SHA512
1117bdc7c496ee954629ff80b4cf7cb212a6483748453f7e2c9194dfc94ced9d1c75a34d1f295d375141014e7a9a9c49d2400c08cc8acd6009ca332a20e138c6
-
SSDEEP
768:FSPzquiqFbBFi2qanSAAZD50MF8Ekbz4OHc:FS+uHFn5sD50M9opHc
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "2" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1472-1-0x0000000140000000-0x0000000140015000-memory.dmp upx behavioral2/memory/1472-5-0x0000000140000000-0x0000000140015000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2372 shutdown.exe Token: SeRemoteShutdownPrivilege 2372 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1004 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1204 1472 fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe 87 PID 1472 wrote to memory of 1204 1472 fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe 87 PID 1204 wrote to memory of 2372 1204 cmd.exe 94 PID 1204 wrote to memory of 2372 1204 cmd.exe 94 PID 1204 wrote to memory of 4372 1204 cmd.exe 96 PID 1204 wrote to memory of 4372 1204 cmd.exe 96 PID 1204 wrote to memory of 4304 1204 cmd.exe 97 PID 1204 wrote to memory of 4304 1204 cmd.exe 97 PID 1204 wrote to memory of 1640 1204 cmd.exe 98 PID 1204 wrote to memory of 1640 1204 cmd.exe 98 PID 1204 wrote to memory of 1308 1204 cmd.exe 99 PID 1204 wrote to memory of 1308 1204 cmd.exe 99 PID 1204 wrote to memory of 2440 1204 cmd.exe 100 PID 1204 wrote to memory of 2440 1204 cmd.exe 100 PID 1204 wrote to memory of 2384 1204 cmd.exe 101 PID 1204 wrote to memory of 2384 1204 cmd.exe 101 PID 1204 wrote to memory of 812 1204 cmd.exe 102 PID 1204 wrote to memory of 812 1204 cmd.exe 102 PID 1204 wrote to memory of 4332 1204 cmd.exe 103 PID 1204 wrote to memory of 4332 1204 cmd.exe 103 PID 1204 wrote to memory of 8 1204 cmd.exe 104 PID 1204 wrote to memory of 8 1204 cmd.exe 104 PID 1204 wrote to memory of 748 1204 cmd.exe 105 PID 1204 wrote to memory of 748 1204 cmd.exe 105 PID 1204 wrote to memory of 2296 1204 cmd.exe 106 PID 1204 wrote to memory of 2296 1204 cmd.exe 106 PID 1204 wrote to memory of 4140 1204 cmd.exe 107 PID 1204 wrote to memory of 4140 1204 cmd.exe 107 PID 1204 wrote to memory of 4412 1204 cmd.exe 108 PID 1204 wrote to memory of 4412 1204 cmd.exe 108 PID 1204 wrote to memory of 5056 1204 cmd.exe 109 PID 1204 wrote to memory of 5056 1204 cmd.exe 109 PID 1204 wrote to memory of 936 1204 cmd.exe 110 PID 1204 wrote to memory of 936 1204 cmd.exe 110 PID 1204 wrote to memory of 2280 1204 cmd.exe 111 PID 1204 wrote to memory of 2280 1204 cmd.exe 111 PID 1204 wrote to memory of 740 1204 cmd.exe 112 PID 1204 wrote to memory of 740 1204 cmd.exe 112 PID 1204 wrote to memory of 2456 1204 cmd.exe 113 PID 1204 wrote to memory of 2456 1204 cmd.exe 113 PID 1204 wrote to memory of 3700 1204 cmd.exe 114 PID 1204 wrote to memory of 3700 1204 cmd.exe 114 PID 1204 wrote to memory of 932 1204 cmd.exe 115 PID 1204 wrote to memory of 932 1204 cmd.exe 115 PID 1204 wrote to memory of 4984 1204 cmd.exe 116 PID 1204 wrote to memory of 4984 1204 cmd.exe 116 PID 1204 wrote to memory of 5064 1204 cmd.exe 117 PID 1204 wrote to memory of 5064 1204 cmd.exe 117 PID 1204 wrote to memory of 3980 1204 cmd.exe 118 PID 1204 wrote to memory of 3980 1204 cmd.exe 118 PID 1204 wrote to memory of 2816 1204 cmd.exe 119 PID 1204 wrote to memory of 2816 1204 cmd.exe 119 PID 1204 wrote to memory of 916 1204 cmd.exe 120 PID 1204 wrote to memory of 916 1204 cmd.exe 120 PID 1204 wrote to memory of 5044 1204 cmd.exe 121 PID 1204 wrote to memory of 5044 1204 cmd.exe 121 PID 1204 wrote to memory of 4756 1204 cmd.exe 122 PID 1204 wrote to memory of 4756 1204 cmd.exe 122 PID 1204 wrote to memory of 2184 1204 cmd.exe 123 PID 1204 wrote to memory of 2184 1204 cmd.exe 123 PID 1204 wrote to memory of 1740 1204 cmd.exe 124 PID 1204 wrote to memory of 1740 1204 cmd.exe 124 PID 1204 wrote to memory of 1932 1204 cmd.exe 125 PID 1204 wrote to memory of 1932 1204 cmd.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\34AC.tmp\low.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\shutdown.exeshutdown /r /f /t 5 /c "Oxygen zostanie przeêÑczony w tryb KOMPATYBILNOùÅ. Wszystkie ustawienia zostanÑ przywrócone na domyÿlne."3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "3" /f3⤵PID:4372
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnService" /v "Start" /t REG_DWORD /d "3" /f3⤵PID:4304
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "2" /f3⤵PID:1640
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3c549" /v "Start" /t REG_DWORD /d "2" /f3⤵PID:1308
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /f3⤵PID:2440
-
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /f3⤵PID:2384
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 1 /f3⤵PID:812
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f3⤵PID:4332
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DisableDeviceDelete /t REG_DWORD /d 0 /f3⤵PID:8
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /V Start /t REG_DWORD /d 2 /f3⤵PID:748
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\wmiApSrv" /V Start /t REG_DWORD /d 3 /f3⤵PID:2296
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\sense" /V Start /t REG_DWORD /d 3 /f3⤵PID:4140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensorService" /V Start /t REG_DWORD /d 3 /f3⤵PID:4412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensorDataService" /V Start /t REG_DWORD /d 3 /f3⤵PID:5056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SharedRealitySvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:936
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensrSvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:2280
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\UsoSvc" /V Start /t REG_DWORD /d 2 /f3⤵PID:740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /V Start /t REG_DWORD /d 3 /f3⤵PID:2456
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\Themes" /V Start /t REG_DWORD /d 2 /f3⤵PID:3700
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SENS" /V Start /t REG_DWORD /d 2 /f3⤵PID:932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\TabletInputService" /V Start /t REG_DWORD /d 2 /f3⤵PID:4984
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\FontCache" /V Start /t REG_DWORD /d 2 /f3⤵PID:5064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WpnUserService" /V Start /t REG_DWORD /d 2 /f3⤵PID:3980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\DeviceAssociationService" /V Start /t REG_DWORD /d 2 /f3⤵PID:2816
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\AppXSvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:916
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\Spooler" /V Start /t REG_DWORD /d 3 /f3⤵PID:5044
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /V Start /t REG_DWORD /d 2 /f3⤵
- Modifies security service
PID:4756
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc" /V Start /t REG_DWORD /d 2 /f3⤵PID:2184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\DispBrokerDesktopSvc" /V Start /t REG_DWORD /d 2 /f3⤵PID:1740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /V Start /t REG_DWORD /d 2 /f3⤵
- Modifies security service
PID:1932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WSearch" /V Start /t REG_DWORD /d 2 /f3⤵PID:4032
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WpnService" /V Start /t REG_DWORD /d 2 /f3⤵PID:3092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\StorSvc" /V Start /t REG_DWORD /d 2 /f3⤵PID:2944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /V Start /t REG_DWORD /d 2 /f3⤵PID:3944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\Appinfo" /V Start /t REG_DWORD /d 3 /f3⤵PID:3296
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\KeyIso" /V Start /t REG_DWORD /d 3 /f3⤵PID:3376
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\SEMgrSvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:2956
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\BthAvctpSvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:3644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WbioSrvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:2252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\lfsvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:816
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WPDBusEnum" /V Start /t REG_DWORD /d 3 /f3⤵PID:3892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\PhoneSvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:600
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\InstallService" /V Start /t REG_DWORD /d 3 /f3⤵PID:4004
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\camsvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:1184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\cbdhsvc_15bacae" /V Start /t REG_DWORD /d 3 /f3⤵PID:4308
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\edgeupdate" /V Start /t REG_DWORD /d 2 /f3⤵PID:4504
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\wisvc" /V Start /t REG_DWORD /d 3 /f3⤵PID:1072
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\NcbService" /V Start /t REG_DWORD /d 3 /f3⤵PID:4192
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\CDPSvc" /V Start /t REG_DWORD /d 2 /f3⤵PID:3916
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\LanmanServer" /V Start /t REG_DWORD /d 2 /f3⤵PID:3672
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3956055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b4f7063beb4097c9e72ed1ad81152d13
SHA1f98ddd81c8795c5ebddf7e2834b4e649aae58876
SHA25617a4ab0867bd0244ee95b41c15850fbbe238baae56f091d956f610a0bdba5dc5
SHA512c505675d4997808aaf84216ad9a7ba5ccc4f682bba4a7cb167cd00af5bf4e1233c13e332c0c38a4bdc487903908d503b6f3ca4889881827307a993b2b50a3596