Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 01:43
Static task
static1
Behavioral task
behavioral1
Sample
379847785abeea923114164226c6cf4e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
379847785abeea923114164226c6cf4e_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
379847785abeea923114164226c6cf4e_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
379847785abeea923114164226c6cf4e
-
SHA1
d2367dc56236f8032d66f7081b36aa3a1636b04f
-
SHA256
9d76e784547306757ca91d82b58d6ab9dab3708de0c1c08124970f0c20429b8f
-
SHA512
e3aea21ae7d8ab018d5dc795754947bee454cbc7bf48df2dff17e385b2b0a75a68a07c892e15bd9b4ec6b44b0e253a7515dc87245ed3aaba837dedf368b90472
-
SSDEEP
12288:jiLJ5i7sJXx0douBjhCCAYi8c1i6oaeNSoeDlHsg+2Vasj0eqV:OspfjxAf8c46oaKeD5l+25j0tV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 379847785abeea923114164226c6cf4e_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106061" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{140D4150-801E-4A3C-BEFE-03DF73A2AAB4}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3796598239" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422243193" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3796598239" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3797692024" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{140D4150-801E-4A3C-BEFE-03DF73A2AAB4} 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DDACB09-1001-11EF-8FD7-DA40134A5F51} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{140D4150-801E-4A3C-BEFE-03DF73A2AAB4}\URL = "http://search.hofficeworksuite.com/s?source=d-lp0&uc=20180627&uid=d09b85a1-592c-444d-9d50-6581b45dfa7f&i_id=office__1.30&ap=appfocus1&query={searchTerms}" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3797692024" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106061" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106061" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{140D4150-801E-4A3C-BEFE-03DF73A2AAB4}" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106061" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{140D4150-801E-4A3C-BEFE-03DF73A2AAB4}\DisplayName = "Search" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.hofficeworksuite.com/?source=d-lp0&uc=20180627&uid=d09b85a1-592c-444d-9d50-6581b45dfa7f&i_id=office__1.30&ap=appfocus1" 379847785abeea923114164226c6cf4e_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5128 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5128 IEXPLORE.EXE 5128 IEXPLORE.EXE 940 IEXPLORE.EXE 940 IEXPLORE.EXE 940 IEXPLORE.EXE 940 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2072 wrote to memory of 5128 2072 379847785abeea923114164226c6cf4e_JaffaCakes118.exe 82 PID 2072 wrote to memory of 5128 2072 379847785abeea923114164226c6cf4e_JaffaCakes118.exe 82 PID 5128 wrote to memory of 940 5128 IEXPLORE.EXE 84 PID 5128 wrote to memory of 940 5128 IEXPLORE.EXE 84 PID 5128 wrote to memory of 940 5128 IEXPLORE.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\379847785abeea923114164226c6cf4e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\379847785abeea923114164226c6cf4e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5128 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5344899c4c1f467827fa9e0f8fd04aa66
SHA117a4fd13324774f32c0c09077ca4e259a1bba84a
SHA25648625a75fe2abf7daa4c12fc47b318b04e990cb6713ba839965b28fd03bd1bf1
SHA512249bbd06a50616622dc8f927f3c8b5fd814d72cbb68fac0ac4cc582b6ac5ee06115f3a7a6c83826b02d6224207050d2d109d15b65456974bcf0b00d802e6c6b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD502e69dcc6e8add22c713c1394ec60889
SHA1e4cda86effaeeb823ed0b3a7f99cf4746e860e58
SHA256a17f3dff05a5da8300c13c1f41913651b495c864bf151e011fcc72eb2e826a06
SHA512eb4f0b74142f014285201dcc5a6e8765fd8dd3ed4c1e28cad08ea01b0499e7f6700646c7ec7c6d6222a75a504d54277cf3204bcb46eac964a3cfa43acd318796
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee