Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2024, 16:07
Behavioral task
behavioral1
Sample
0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe
-
Size
513KB
-
MD5
0a242406df260af40a8b4fd6258cfb5e
-
SHA1
2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
-
SHA256
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
-
SHA512
86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1
-
SSDEEP
12288:p4fijaKuilYLV6BtpmkIMEcc7hyXDC8TW0C4yIfMZ/W:pbGKrlqApfIMEccdSm0xMt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3096 HWID CHANGER.EXE 3212 SERVICES.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" SERVICES.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SERVICES.EXE -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DDP Service\ddpsv.exe SERVICES.EXE File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe SERVICES.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4792 schtasks.exe 1572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3212 SERVICES.EXE 3212 SERVICES.EXE 3212 SERVICES.EXE 3212 SERVICES.EXE 3212 SERVICES.EXE 3212 SERVICES.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3212 SERVICES.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3212 SERVICES.EXE Token: SeDebugPrivilege 3212 SERVICES.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3096 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 83 PID 1580 wrote to memory of 3096 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 83 PID 1580 wrote to memory of 3096 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 83 PID 1580 wrote to memory of 3212 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 84 PID 1580 wrote to memory of 3212 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 84 PID 1580 wrote to memory of 3212 1580 0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe 84 PID 3212 wrote to memory of 4792 3212 SERVICES.EXE 85 PID 3212 wrote to memory of 4792 3212 SERVICES.EXE 85 PID 3212 wrote to memory of 4792 3212 SERVICES.EXE 85 PID 3212 wrote to memory of 1572 3212 SERVICES.EXE 87 PID 3212 wrote to memory of 1572 3212 SERVICES.EXE 87 PID 3212 wrote to memory of 1572 3212 SERVICES.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a242406df260af40a8b4fd6258cfb5e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"2⤵
- Executes dropped EXE
PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp345E.tmp"3⤵
- Creates scheduled task(s)
PID:4792
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp352A.tmp"3⤵
- Creates scheduled task(s)
PID:1572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD588b430e9224557e9eeab96a9096a0e3b
SHA1cb7a4f3efbfe68009c6b1677ed50991e134161e8
SHA256c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c
SHA512e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d
-
Filesize
203KB
MD5fbf4540d5b491f75fe1c22ac4815fa83
SHA183275825f4b8c75bb0b7395baf910a64d2dffe61
SHA256e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6
SHA5121b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1
-
Filesize
1KB
MD5ceee50b15e8af3709e3b6797b4fe0dff
SHA194686fe6430122551a42b8c9871845c0990161f3
SHA2569d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0
SHA512372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d
-
Filesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f