Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
5c90c2d366dcbf9b19e7ec312c90e6ea
-
SHA1
02ca768c4bbe0b6828ea6f393096b67b2e376f79
-
SHA256
9e9e60d80f1c3bf4ce1dcaf11e2e4ac4f25ab26021fbe05dc3d575664060bb6b
-
SHA512
f171b2d4d8718f1f96b649bcb40a1ae18b20df5eb34bb8b31465ab4e3113b6dfeb51a9be2bfc9300e3d28d80d097a6f4d0314cf353bb40294249487fd4a23349
-
SSDEEP
12288:HsM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQye:MV4W8hqBYgnBLfVqx1Wjkf
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31107671" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4198989770" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5A98CFC5-962A-44F9-AF9F-2CCA1D0F8A08}\URL = "http://search.searchyff.com/s?source=googledisplay-bb8&uid=74fecd23-8cd9-4e24-a9d1-7396d60e6dc6&uc=20180116&ap=appfocus5&i_id=forms__1.30&query={searchTerms}" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5A98CFC5-962A-44F9-AF9F-2CCA1D0F8A08}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31107671" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31107671" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{25CAE14B-164B-11EF-A084-6E6D447F5FDC} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5A98CFC5-962A-44F9-AF9F-2CCA1D0F8A08} 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4197114886" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4197114886" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{5A98CFC5-962A-44F9-AF9F-2CCA1D0F8A08}" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422934723" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5A98CFC5-962A-44F9-AF9F-2CCA1D0F8A08}\DisplayName = "Search" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchyff.com/?source=googledisplay-bb8&uid=74fecd23-8cd9-4e24-a9d1-7396d60e6dc6&uc=20180116&ap=appfocus5&i_id=forms__1.30" 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1980 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1980 IEXPLORE.EXE 1980 IEXPLORE.EXE 3240 IEXPLORE.EXE 3240 IEXPLORE.EXE 3240 IEXPLORE.EXE 3240 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2852 wrote to memory of 1980 2852 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe 84 PID 2852 wrote to memory of 1980 2852 5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe 84 PID 1980 wrote to memory of 3240 1980 IEXPLORE.EXE 86 PID 1980 wrote to memory of 3240 1980 IEXPLORE.EXE 86 PID 1980 wrote to memory of 3240 1980 IEXPLORE.EXE 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5c90c2d366dcbf9b19e7ec312c90e6ea_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD550beaeb29c1828aa58b55057a8017095
SHA1307492f413ef87df41277ca164eea78626e75381
SHA25618d22ed4722a234c4d0213522c955b6e447564401621c1ba843f2a91ce4a3492
SHA5129ef69f048bcdfa7b18c192977d15ec6477748cc697bbed97ab5ae1a3b1871d7d06613011b310eecd2bc32512d80214cb0784a1d9b6f9dd766367ef593fedaccb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD554be854014b9c40c4095697062d5f5b6
SHA1827c50d250ad95b622045ebcbd625c6e40b447a8
SHA256650f035bfa7052ddf65f4bf5d10819713a355a0eda7151f525b400ede6dc001e
SHA512690d672b74a03250fcadb1df57ca96a009cf1f4423f437606ca5f07d3212781e24b0cca030c700b5aab49b8c77b3c6c2a09058db0942829d3daef72fb202e561
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee