Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 07:27
Static task
static1
Behavioral task
behavioral1
Sample
785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
785a5956f9670ab2f02920ba15d02bf4
-
SHA1
0527b0936e8ee7f5c6da3e425619d1b8c2b7d3e1
-
SHA256
d3ab6b282cdc39a2dfeee1762e4ff77208b76821954262759724695bcd939d00
-
SHA512
737bb76d941d1b30d1288cff32039e07980fc0a8df73e1e05ece4a6d11a6ef0fbda0be97823f6c38bb88f3669b696c14a90d3ee5322040476d0cb523502f4c92
-
SSDEEP
12288:PsM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQq:0V4W8hqBYgnBLfVqx1WjkX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5074700E-3E72-47B1-AB78-E1D7CEA11D41}\URL = "http://search.searchlen.com/s?source=Bing-bb8&uid=3d18b65a-f7a2-4d0a-92a3-8486931ea973&uc=20180115&ap=appfocus29&i_id=email__1.30&query={searchTerms}" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2035656227" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2035656227" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109127" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5074700E-3E72-47B1-AB78-E1D7CEA11D41}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2037062562" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5074700E-3E72-47B1-AB78-E1D7CEA11D41}\DisplayName = "Search" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{5074700E-3E72-47B1-AB78-E1D7CEA11D41}" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A4EE7C61-1BFA-11EF-BA70-5AA21198C1D4} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423559854" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109127" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5074700E-3E72-47B1-AB78-E1D7CEA11D41} 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109127" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchlen.com/?source=Bing-bb8&uid=3d18b65a-f7a2-4d0a-92a3-8486931ea973&uc=20180115&ap=appfocus29&i_id=email__1.30" 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3864 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3864 IEXPLORE.EXE 3864 IEXPLORE.EXE 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5072 wrote to memory of 3864 5072 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe 82 PID 5072 wrote to memory of 3864 5072 785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe 82 PID 3864 wrote to memory of 2308 3864 IEXPLORE.EXE 84 PID 3864 wrote to memory of 2308 3864 IEXPLORE.EXE 84 PID 3864 wrote to memory of 2308 3864 IEXPLORE.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\785a5956f9670ab2f02920ba15d02bf4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3864 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD590e9c891fdbc30c47adf44608d1e62a3
SHA1a41e884afa528048ccec4b6a6692e164ab684553
SHA2564353c8e772765f9f44b5b51678d48e558f5c3ef3b2ff2a04d3fcfecf47540619
SHA512e5b5d33b716d805f64030db6f9d60cab1aea1a5425f2a3830bcee402d0a42e8c2f5392df37c2662f10a96a3e375c7ae67afdfdfedcc027d40c66ffd18dd47e53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD500fec696c4b945d4aa1c474d8c735db5
SHA1206301060e17d6c26961b705722aeeb4c1bd35cc
SHA256dff603baa98c0191a83af903aa292b2598b0628cf3b497907dce0fc38857244e
SHA512f9c12df0fc64ef3df719a0363d555781b395f52b40a857f3367cfadd5fb0fe8d7156d0333bb815724482c2d660bdcb82ebdf665987df7662b661d0ebc1a2b006
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee