Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
114fdd33396da68a0d2c01031e3fff64
-
SHA1
14e9561ee743a4ab2bfc6c6ada9d075ab33d2ddb
-
SHA256
f1741ebea4fc619b1d5bf3777918e1ed8003cfd04d288bc0af5b4ac2d8d2fc1e
-
SHA512
1877bff7572b13782cb4d622f7e9dc14f800e2040ec537ce55d29960f0cfc72f511952438c428758d5c2f3b3eaab72dd0e1a035df09c55b62e7208fc0fa9ac11
-
SSDEEP
24576:OmUxlIUzbjKjOvUYhoxs+lM6Q1zAs1ZLuTdRZc:Efb+jQoxsw1+vLCFc
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1360 wmpscfgs.exe 3476 wmpscfgs.exe 5004 wmpscfgs.exe 4252 wmpscfgs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" wmpscfgs.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe File created C:\Program Files (x86)\240614375.dat wmpscfgs.exe File created \??\c:\program files (x86)\common files\java\java update\jusched.exe wmpscfgs.exe File opened for modification \??\c:\program files (x86)\adobe\acrotray .exe wmpscfgs.exe File opened for modification \??\c:\program files (x86)\adobe\acrotray.exe wmpscfgs.exe File created \??\c:\program files (x86)\common files\java\java update\jusched.exe 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe File created \??\c:\program files (x86)\adobe\acrotray .exe 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe File created \??\c:\program files (x86)\adobe\acrotray.exe 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31104463" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0037715ecf9dda01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1454799013" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1454799013" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09db955cf9dda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{826260CB-09C2-11EF-B37B-5245EF6E6CD8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce1000000000200000000001066000000010000200000004ae46609105e89b79d9135ce2a9e0f528ba0fdf717981e1b336cd60d97e0a6ab000000000e80000000020000200000005458ec97e723fcdf1f03b95335e5ea5820880c8ba1986554ba1d1dfcc137821020000000d31847fb71dfb21976afcef727c81bd7c96a084650f7cc19c148b41571e64622400000003186161acda6f7f746ef794d197699e562ac3dec97578b04489f964e33106d47e7abf43c23eeff3535823b94c4599404f9276e4360afca612e4e1465d237a440 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31104463" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce100000000020000000000106600000001000020000000318573c0be62554e7386163dc39ad7f26d8e696354ebaae66fc26e3e1c82cfa1000000000e80000000020000200000004e2e585f9c4d330dd694f2c1cbf31e9caad7452f800d28748aee039017de0670200000008cb8e35dc3bce0c2f67c8239d4662e4225f4918774ddba741f8c0cc3c265ff05400000007c56958ded8b7dcc039ad8b6b5d3b3e9955d54fdc9f7c6e98e1df7bd641c7e03198dbea95a2386c754f014f86ca653e88028f26628ddb6f21dfcbcf937d2db33 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 3476 wmpscfgs.exe 3476 wmpscfgs.exe 3476 wmpscfgs.exe 3476 wmpscfgs.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe Token: SeDebugPrivilege 3476 wmpscfgs.exe Token: SeDebugPrivilege 1360 wmpscfgs.exe Token: SeDebugPrivilege 5004 wmpscfgs.exe Token: SeDebugPrivilege 4252 wmpscfgs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 920 iexplore.exe 920 iexplore.exe 920 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 920 iexplore.exe 920 iexplore.exe 2720 IEXPLORE.EXE 2720 IEXPLORE.EXE 920 iexplore.exe 920 iexplore.exe 1408 IEXPLORE.EXE 1408 IEXPLORE.EXE 920 iexplore.exe 920 iexplore.exe 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1360 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 89 PID 2992 wrote to memory of 1360 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 89 PID 2992 wrote to memory of 1360 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 89 PID 2992 wrote to memory of 3476 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 90 PID 2992 wrote to memory of 3476 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 90 PID 2992 wrote to memory of 3476 2992 114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe 90 PID 3476 wrote to memory of 5004 3476 wmpscfgs.exe 99 PID 3476 wrote to memory of 5004 3476 wmpscfgs.exe 99 PID 3476 wrote to memory of 5004 3476 wmpscfgs.exe 99 PID 3476 wrote to memory of 4252 3476 wmpscfgs.exe 100 PID 3476 wrote to memory of 4252 3476 wmpscfgs.exe 100 PID 3476 wrote to memory of 4252 3476 wmpscfgs.exe 100 PID 920 wrote to memory of 2720 920 iexplore.exe 103 PID 920 wrote to memory of 2720 920 iexplore.exe 103 PID 920 wrote to memory of 2720 920 iexplore.exe 103 PID 920 wrote to memory of 1408 920 iexplore.exe 106 PID 920 wrote to memory of 1408 920 iexplore.exe 106 PID 920 wrote to memory of 1408 920 iexplore.exe 106 PID 920 wrote to memory of 1704 920 iexplore.exe 107 PID 920 wrote to memory of 1704 920 iexplore.exe 107 PID 920 wrote to memory of 1704 920 iexplore.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:3060
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17416 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17424 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5afce5653550cd19050c80a2fa3d3cab5
SHA1ae081eef90bb2536afddf87c52f7879dbb7fe67f
SHA2560e73f025e8733d26e9cbb2f51dbc2a20d744eae58789b292a478476a8adf7962
SHA5120cb163ef0b5f970fbfc0a24cce89c58692c342518e7c5e51256900128431a6e5302dc1cb244e66f51b5d54b98dc00c4eb3c7dc31a6cdc25f21783a9e372403ac
-
Filesize
32KB
MD5f48baec69cc4dc0852d118259eff2d56
SHA1e64c6e4423421da5b35700154810cb67160bc32b
SHA256463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c
SHA51206fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37
-
Filesize
1.5MB
MD55ae275a0ec3a057b9b84b973242ba931
SHA160694c1bbd96305b0ab400aa4668d1326805b010
SHA2563fc31d8672c8e7fb1a10d3f2e8910868e3945e430f85c68a5a62a6ce16e2467f
SHA5120e15a47616244fe138d933fa3837c46c3c0b073407c04eda555d155d3fbbf6dbc061b2ece305ea65bdc128b7b6ebd2fb78d351860a276d360cf09d46e2ba60fd
-
Filesize
1.5MB
MD5edf7ebc88a67b55544e70d5a670249d8
SHA13e1d1abff5fa80538a2227ff09eaa7b67f4b4e3f
SHA2568cb77ff42149852207f44ae9877acca1e5d81d4585cba7db877c3653be0e83b2
SHA512bfcc164c99df0e2b45472bc70bfde25ad8cf48f1d587594aaab05baacd50e05db40c39606b8b7216c9d3487ac0f84f86587dfff8294cced6b659b57f4df1ad49
-
Filesize
1.5MB
MD5a27289d7c6082c2259056521c737b58e
SHA1ec04c2b8bf2726bb9a4327d7f155d59c4c53d947
SHA2561c5ede58d0e005e6fca666d3eca3fbb2536d870cd08d9e7d94b1bd232637ce3d
SHA512e00231439f370cb010204b136d88adb837949d84f3f4c7085a02a2c69c2fccb4207658ecccee7ce500e314db644daf8e5c149b2fc5c20c1e02f99e24bc372ff1