Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
0e2d67a033efc098dcdafe159cbd1954
-
SHA1
0b962240091c3037e25db68e92768bd1119f9c66
-
SHA256
616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e
-
SHA512
f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f
-
SSDEEP
49152:y8Zbn98Zbn98Zbn98ZbnYn/4MnYYJ2ZhqSGLHkJEMFHUDkYOMwwnMb4PmyV:1wIDQnYOXwnS4rV
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 3112 478.#.exe 3544 188.#.exe 2652 238.#.exe 3396 346.#.exe 2740 311.#.exe 5544 830.#.exe 1628 755.#.exe 5536 890.#.exe 2460 782.#.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 478.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 188.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 346.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 755.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 890.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 782.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 238.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 311.#.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 830.#.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\ 188.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ 478.#.exe File opened for modification C:\Program Files\Java\jre8\ 346.#.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\ 755.#.exe File opened for modification C:\Program Files\Common Files\System\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\ 478.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\ 188.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\ 311.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe$ 188.#.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe$ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\ 238.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ 478.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\ 346.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ 346.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\ 311.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\ 238.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\ 311.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\ 188.#.exe File opened for modification C:\Program Files\Common Files\System\it-IT\ 188.#.exe File opened for modification C:\Program Files\dotnet\host\ 346.#.exe File opened for modification C:\Program Files\Common Files\System\ado\ 830.#.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\ 238.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\ 238.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\ 188.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ 311.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sl-SI\ 188.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 478.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\ 346.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ 346.#.exe File opened for modification C:\Program Files\Microsoft Office\Office16\ 238.#.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\ 188.#.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\ 188.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\ 311.#.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_w1\ 238.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ 188.#.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\ 188.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\ 311.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ 830.#.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\ 478.#.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe 346.#.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\ 311.#.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\ 478.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ 238.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe 188.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ 830.#.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ 311.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\ 755.#.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 311.#.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\ 346.#.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\ 188.#.exe File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\ 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ 478.#.exe -
NTFS ADS 10 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 238.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 346.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 830.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 890.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 478.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 188.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 311.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 755.#.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\systemlog.bak 782.#.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3512 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe 3112 478.#.exe 3544 188.#.exe 2652 238.#.exe 3396 346.#.exe 2740 311.#.exe 5544 830.#.exe 1628 755.#.exe 5536 890.#.exe 2460 782.#.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3112 3512 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe 86 PID 3512 wrote to memory of 3112 3512 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe 86 PID 3512 wrote to memory of 3112 3512 0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe 86 PID 3112 wrote to memory of 3544 3112 478.#.exe 87 PID 3112 wrote to memory of 3544 3112 478.#.exe 87 PID 3112 wrote to memory of 3544 3112 478.#.exe 87 PID 3544 wrote to memory of 2652 3544 188.#.exe 88 PID 3544 wrote to memory of 2652 3544 188.#.exe 88 PID 3544 wrote to memory of 2652 3544 188.#.exe 88 PID 2652 wrote to memory of 3396 2652 238.#.exe 89 PID 2652 wrote to memory of 3396 2652 238.#.exe 89 PID 2652 wrote to memory of 3396 2652 238.#.exe 89 PID 3396 wrote to memory of 2740 3396 346.#.exe 90 PID 3396 wrote to memory of 2740 3396 346.#.exe 90 PID 3396 wrote to memory of 2740 3396 346.#.exe 90 PID 2740 wrote to memory of 5544 2740 311.#.exe 93 PID 2740 wrote to memory of 5544 2740 311.#.exe 93 PID 2740 wrote to memory of 5544 2740 311.#.exe 93 PID 5544 wrote to memory of 1628 5544 830.#.exe 95 PID 5544 wrote to memory of 1628 5544 830.#.exe 95 PID 5544 wrote to memory of 1628 5544 830.#.exe 95 PID 1628 wrote to memory of 5536 1628 755.#.exe 96 PID 1628 wrote to memory of 5536 1628 755.#.exe 96 PID 1628 wrote to memory of 5536 1628 755.#.exe 96 PID 5536 wrote to memory of 2460 5536 890.#.exe 97 PID 5536 wrote to memory of 2460 5536 890.#.exe 97 PID 5536 wrote to memory of 2460 5536 890.#.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e2d67a033efc098dcdafe159cbd1954_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\478.#.exeC:\Users\Admin\AppData\Local\Temp\478.#.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\188.#.exeC:\Users\Admin\AppData\Local\Temp\188.#.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\238.#.exeC:\Users\Admin\AppData\Local\Temp\238.#.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\346.#.exeC:\Users\Admin\AppData\Local\Temp\346.#.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\311.#.exeC:\Users\Admin\AppData\Local\Temp\311.#.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\830.#.exeC:\Users\Admin\AppData\Local\Temp\830.#.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5544 -
C:\Users\Admin\AppData\Local\Temp\755.#.exeC:\Users\Admin\AppData\Local\Temp\755.#.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\890.#.exeC:\Users\Admin\AppData\Local\Temp\890.#.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\782.#.exeC:\Users\Admin\AppData\Local\Temp\782.#.exe10⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\60.#.exeC:\Users\Admin\AppData\Local\Temp\60.#.exe11⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\76.#.exeC:\Users\Admin\AppData\Local\Temp\76.#.exe12⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\784.#.exeC:\Users\Admin\AppData\Local\Temp\784.#.exe13⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\260.#.exeC:\Users\Admin\AppData\Local\Temp\260.#.exe14⤵PID:5504
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD525247dfed133d270a9b33b881794f753
SHA1b34a775a94291139d5d6b9b3c2888183e4cdda35
SHA256673abab05e0cd787b43a4068607a472cd214c05a4dea5dd34f2386589674a5f5
SHA512b0dc740d7d70a8b8bc1797b6a9eb24e5950dabd1f52a5284a0497e4410df8578dbf3be11de28a7e3113a057c29f28d8b1e659453508b322b3cf038de0651f0cb
-
Filesize
2.9MB
MD527d123c3706e08a91b21f384ce989ac0
SHA11dc68a2da337c12249747a7ff1d8ecee4e5d506c
SHA256379aa9c65b41f611101326bd6327ae34d212c037ea146a3c8bc3a63a22201c28
SHA5125f2f92b67b5b6b8cb9d8b5fe0914079ab7af5342380176fd084a8ba6c60b02d29d4d6c0e0283175cea218855c491fa627565b374b81aae09f7306729cb620cbc
-
Filesize
2.5MB
MD50e2d67a033efc098dcdafe159cbd1954
SHA10b962240091c3037e25db68e92768bd1119f9c66
SHA256616efc1d1d4a4b50f275dc1de7ea8c17d2d9206038996bd3c23aba87c28f617e
SHA512f5dddf1a60096d9f59d0cff146bc11b2509329869ba7fda2604e6c492df3113a6e29703adcb3fe73ff52e1a743d6040df37c2dee9edfbc73a40b066e2929430f