Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 08:55
Behavioral task
behavioral1
Sample
33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe
-
Size
28KB
-
MD5
33c6eece234f9df57b521c3a87e29c18
-
SHA1
db9ad2a6713dc1c7d1e933187a36069e9714a72d
-
SHA256
cc72aae5e6ecc4b70ef09416f09670000db292c8b5adf2737f1b22cb9a2da1cd
-
SHA512
bc633b4d40621a48919298421a931668574a175768518e1aee71a90a59362ea969f77315305687cbcc8cf8e8abcdb44742884d3012691e708f84d4a5707baa19
-
SSDEEP
384:zR0jSNdYhRV09hTlqJM3ZFlUxxLb7FQTE8sPspcW9ceKIlkeFVbsxGlOJUKcrurt:uIOMZJER20IGeTbsxGU/5g0Lj1Abq
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1536 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe system.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe system.exe -
Executes dropped EXE 1 IoCs
pid Process 2564 system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .." system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe 2564 system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2564 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2564 2928 33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe 83 PID 2928 wrote to memory of 2564 2928 33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe 83 PID 2928 wrote to memory of 2564 2928 33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe 83 PID 2564 wrote to memory of 1536 2564 system.exe 84 PID 2564 wrote to memory of 1536 2564 system.exe 84 PID 2564 wrote to memory of 1536 2564 system.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33c6eece234f9df57b521c3a87e29c18_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1536
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD533c6eece234f9df57b521c3a87e29c18
SHA1db9ad2a6713dc1c7d1e933187a36069e9714a72d
SHA256cc72aae5e6ecc4b70ef09416f09670000db292c8b5adf2737f1b22cb9a2da1cd
SHA512bc633b4d40621a48919298421a931668574a175768518e1aee71a90a59362ea969f77315305687cbcc8cf8e8abcdb44742884d3012691e708f84d4a5707baa19