Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 09:10
Behavioral task
behavioral1
Sample
33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
-
Size
5.6MB
-
MD5
33d509d70645f62cd3dee6ff59d52a91
-
SHA1
162276e5905f99d2c31268c67b9b06b578203cdf
-
SHA256
eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
-
SHA512
60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c
-
SSDEEP
98304:09yZmgcCNvuTZLIEIKwLGiVIhIy9vFcdm7M6gBjc5DfdYSP/b0bVuIcPHUdKGIpm:ntuTZ8EIKwLTeKy9XEjcVfdYSHAbVEPm
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation BrowserWorker.exe -
Executes dropped EXE 2 IoCs
pid Process 4544 BrowserWorker.exe 4896 Mozillla.exe -
Loads dropped DLL 3 IoCs
pid Process 4896 Mozillla.exe 4896 Mozillla.exe 4896 Mozillla.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4416-1-0x00000000007E0000-0x000000000115A000-memory.dmp vmprotect behavioral2/memory/4416-7-0x00000000007E0000-0x000000000115A000-memory.dmp vmprotect behavioral2/memory/4416-13-0x00000000007E0000-0x000000000115A000-memory.dmp vmprotect behavioral2/files/0x0007000000023400-17.dat vmprotect behavioral2/memory/4544-19-0x0000000000E40000-0x00000000017BA000-memory.dmp vmprotect behavioral2/memory/4544-25-0x0000000000E40000-0x00000000017BA000-memory.dmp vmprotect behavioral2/memory/4544-65-0x0000000000E40000-0x00000000017BA000-memory.dmp vmprotect behavioral2/memory/4544-143-0x0000000000E40000-0x00000000017BA000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 23 bitbucket.org 40 raw.githubusercontent.com 41 raw.githubusercontent.com 20 bitbucket.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 4544 BrowserWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2496 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 4544 BrowserWorker.exe 4544 BrowserWorker.exe 4544 BrowserWorker.exe 4544 BrowserWorker.exe 4544 BrowserWorker.exe 4544 BrowserWorker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4544 BrowserWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 2892 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 84 PID 4416 wrote to memory of 2892 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 84 PID 4416 wrote to memory of 2892 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 84 PID 4416 wrote to memory of 4024 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 86 PID 4416 wrote to memory of 4024 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 86 PID 4416 wrote to memory of 4024 4416 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe 86 PID 4024 wrote to memory of 3140 4024 cmd.exe 89 PID 4024 wrote to memory of 3140 4024 cmd.exe 89 PID 4024 wrote to memory of 3140 4024 cmd.exe 89 PID 2892 wrote to memory of 4544 2892 cmd.exe 88 PID 2892 wrote to memory of 4544 2892 cmd.exe 88 PID 2892 wrote to memory of 4544 2892 cmd.exe 88 PID 4544 wrote to memory of 4896 4544 BrowserWorker.exe 97 PID 4544 wrote to memory of 4896 4544 BrowserWorker.exe 97 PID 4544 wrote to memory of 4292 4544 BrowserWorker.exe 99 PID 4544 wrote to memory of 4292 4544 BrowserWorker.exe 99 PID 4544 wrote to memory of 4292 4544 BrowserWorker.exe 99 PID 4544 wrote to memory of 4432 4544 BrowserWorker.exe 103 PID 4544 wrote to memory of 4432 4544 BrowserWorker.exe 103 PID 4544 wrote to memory of 4432 4544 BrowserWorker.exe 103 PID 4544 wrote to memory of 768 4544 BrowserWorker.exe 105 PID 4544 wrote to memory of 768 4544 BrowserWorker.exe 105 PID 4544 wrote to memory of 768 4544 BrowserWorker.exe 105 PID 4544 wrote to memory of 2604 4544 BrowserWorker.exe 107 PID 4544 wrote to memory of 2604 4544 BrowserWorker.exe 107 PID 4544 wrote to memory of 2604 4544 BrowserWorker.exe 107 PID 4544 wrote to memory of 2264 4544 BrowserWorker.exe 111 PID 4544 wrote to memory of 2264 4544 BrowserWorker.exe 111 PID 4544 wrote to memory of 2264 4544 BrowserWorker.exe 111 PID 4544 wrote to memory of 2224 4544 BrowserWorker.exe 113 PID 4544 wrote to memory of 2224 4544 BrowserWorker.exe 113 PID 4544 wrote to memory of 2224 4544 BrowserWorker.exe 113 PID 4544 wrote to memory of 2780 4544 BrowserWorker.exe 115 PID 4544 wrote to memory of 2780 4544 BrowserWorker.exe 115 PID 4544 wrote to memory of 2780 4544 BrowserWorker.exe 115 PID 4544 wrote to memory of 2960 4544 BrowserWorker.exe 117 PID 4544 wrote to memory of 2960 4544 BrowserWorker.exe 117 PID 4544 wrote to memory of 2960 4544 BrowserWorker.exe 117 PID 4544 wrote to memory of 4460 4544 BrowserWorker.exe 119 PID 4544 wrote to memory of 4460 4544 BrowserWorker.exe 119 PID 4544 wrote to memory of 4460 4544 BrowserWorker.exe 119 PID 4544 wrote to memory of 3924 4544 BrowserWorker.exe 122 PID 4544 wrote to memory of 3924 4544 BrowserWorker.exe 122 PID 4544 wrote to memory of 3924 4544 BrowserWorker.exe 122 PID 4544 wrote to memory of 4456 4544 BrowserWorker.exe 124 PID 4544 wrote to memory of 4456 4544 BrowserWorker.exe 124 PID 4544 wrote to memory of 4456 4544 BrowserWorker.exe 124 PID 4544 wrote to memory of 2868 4544 BrowserWorker.exe 126 PID 4544 wrote to memory of 2868 4544 BrowserWorker.exe 126 PID 4544 wrote to memory of 2868 4544 BrowserWorker.exe 126 PID 4544 wrote to memory of 1612 4544 BrowserWorker.exe 128 PID 4544 wrote to memory of 1612 4544 BrowserWorker.exe 128 PID 4544 wrote to memory of 1612 4544 BrowserWorker.exe 128 PID 4544 wrote to memory of 3468 4544 BrowserWorker.exe 130 PID 4544 wrote to memory of 3468 4544 BrowserWorker.exe 130 PID 4544 wrote to memory of 3468 4544 BrowserWorker.exe 130 PID 4544 wrote to memory of 628 4544 BrowserWorker.exe 140 PID 4544 wrote to memory of 628 4544 BrowserWorker.exe 140 PID 4544 wrote to memory of 628 4544 BrowserWorker.exe 140 PID 628 wrote to memory of 2496 628 cmd.exe 142 PID 628 wrote to memory of 2496 628 cmd.exe 142 PID 628 wrote to memory of 2496 628 cmd.exe 142 PID 628 wrote to memory of 768 628 cmd.exe 143 PID 628 wrote to memory of 768 628 cmd.exe 143 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3140 attrib.exe 768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exeC:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exeC:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login14⤵PID:4292
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login14⤵PID:4432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login14⤵PID:768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login14⤵PID:2604
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login14⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login14⤵PID:2224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login14⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login14⤵PID:2960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login14⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login14⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login14⤵PID:4456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login14⤵PID:2868
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login14⤵PID:1612
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login14⤵PID:3468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 35⤵
- Delays execution with timeout.exe
PID:2496
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"5⤵
- Views/modifies file attributes
PID:768
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"3⤵
- Views/modifies file attributes
PID:3140
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
5.6MB
MD533d509d70645f62cd3dee6ff59d52a91
SHA1162276e5905f99d2c31268c67b9b06b578203cdf
SHA256eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
SHA51260222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c
-
Filesize
33B
MD5aef8a2d7cf247798b52afc55fd34056f
SHA17ffbc153ff09077a51cbcfa6fa48d7881cf697f1
SHA25678f35f126954284d4f8dfe2832d34c2577e6cdc9426012565bcd6297c25607ba
SHA5121f2e4da54efd4da3f0ab673f49610c3d2d4f282ce4c75402b2249db20b75b072f354264ece293082f9ac9bc06c72362ab9b3ed6ce08c9b4cc639666be7d66e13
-
Filesize
276KB
MD521670cc3ebd12408f4e28eb15e238eec
SHA1cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4
SHA25610c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799
SHA51280e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a
-
Filesize
686KB
MD56657e7eabb71db0e926bf07d797a976a
SHA188589af17bf1ccff9cbed59985a99aee430d0e16
SHA25653a6b58da55137f9dacd8215c7f2314e34b7a5fdf9fb79b88d170c7bd123fd31
SHA512bedd5f0830f1d3f090f2e40f78fae44fe61d1296f63c126bb8f8f7ff326c93c4de97aaccb39149ad3d60caadca45609c829484f482aa0ba984bd61235c6357de
-
Filesize
13KB
MD579b7f44f6be4ab86a802e91f4abe43e7
SHA12d8af3481533ba11f113705dc8bf077141d70d67
SHA256d81a0117edc18ff8215ee4f7a844f954a7275be9727d560f8464befe3359818e
SHA512bcb0b6e1e0ab465a9c7ed87526c397fcd605f48c46ae0038dd4bc4b80972b468a8a215a79b4cc86b6afa17bd2ebed4c2273f841f9eb9679d9146ab69dce9abd2
-
Filesize
891KB
MD52230cab0b28edf3d91418d6d89ab25a7
SHA16e61ca405a5025889f27c5968547cd35a2c846d9
SHA256e988d9dea747c96c615a132b53038b1c2f088ce47bd94b971fe95d37290ac14d
SHA512578f67465fd262a74149cbef1989148117eb6c8e7a98add74810bb60530a68e51528eb58f59a2a47f1061e6c4c026510c5c5364bbfd98139151851471b967fcf
-
Filesize
363B
MD5f87c56e8469034c3fdbac19e4828ef8f
SHA1956d17bca9d30b60c852f4b52b2054457fa94403
SHA25620acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368
SHA512f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927
-
Filesize
473B
MD5a2994a53852aade4eab4692c48c0dc8b
SHA122dc78669238e064967fc843866c9797c41d5be1
SHA256d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f
SHA512b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1.7MB
MD5dd1a41b5e8d5fedf735de21c5a514f58
SHA1b5786255c6e90057cb356e1b98e20db34c7de9fe
SHA2565c282e6010b64a7b0bd5f5401bb388cd4926d05721ca407d8f2a4785a50ff303
SHA51277eef40ed689954cd945e222847ac6d793e1a92097187c83d2d1e9ec134cf2d0aeee44c4a5c0395a174508760ca7c5b1bc4522f6ee6c2a7d041ac5db33f52af2