Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
38107f5b72f9fe6c53d83114476048df
-
SHA1
bc32e8fc0fe729f28a6b6ec8d1edc1a7490e33d2
-
SHA256
bbce5289e5a963841e88f77010848134ba5fb9c1084b7f9533fd170cacee4688
-
SHA512
05c17646eba1cec02b6d6ab20d5d2d4173249c8e3282a48d36de46070817d79fd0c3f86481ea20a4317514b29537cdc9d8a7bda76fee7856a954658d1218dae3
-
SSDEEP
49152:yiqXjFPE6KQaqz5HgrqhPLKqXZj8bTbDyhsotbgJSg79g3Ze7:yzzFM7q1Hg2hP2ouo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4988 svchost_ms.exe 1664 svchost_ms.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost_ms.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\SmartData\svchost_ms.exe 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SmartData\svchost_ms.exe 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe File created C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe File opened for modification C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost_ms.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1580 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe 1580 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe 1664 svchost_ms.exe 1664 svchost_ms.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1664 svchost_ms.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3116 1580 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe 88 PID 1580 wrote to memory of 3116 1580 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe 88 PID 1580 wrote to memory of 3116 1580 38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe 88 PID 3116 wrote to memory of 1948 3116 cmd.exe 90 PID 3116 wrote to memory of 1948 3116 cmd.exe 90 PID 3116 wrote to memory of 1948 3116 cmd.exe 90 PID 3116 wrote to memory of 4988 3116 cmd.exe 91 PID 3116 wrote to memory of 4988 3116 cmd.exe 91 PID 3116 wrote to memory of 4988 3116 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38107f5b72f9fe6c53d83114476048df_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /S /C choice /C Y /N /D Y /T 3 & "C:\Program Files (x86)\SmartData\svchost_ms.exe" /start2⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:1948
-
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /start3⤵
- Executes dropped EXE
PID:4988
-
-
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /srv1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD538107f5b72f9fe6c53d83114476048df
SHA1bc32e8fc0fe729f28a6b6ec8d1edc1a7490e33d2
SHA256bbce5289e5a963841e88f77010848134ba5fb9c1084b7f9533fd170cacee4688
SHA51205c17646eba1cec02b6d6ab20d5d2d4173249c8e3282a48d36de46070817d79fd0c3f86481ea20a4317514b29537cdc9d8a7bda76fee7856a954658d1218dae3