Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 14:39
Behavioral task
behavioral1
Sample
9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
-
Size
3.3MB
-
MD5
9e89ec8a6d7a50e4f9a68a7ed90f0eea
-
SHA1
286fafe21eb3232d42ac63f4220dbc1c281944c2
-
SHA256
978cd9073207975e6dd535e34b59014de4eb4db0d54fd67d2d8a355e5df7458b
-
SHA512
67f782c6b7c946d5dfcfb06dc1bd262d4f491aa092b2d0fabeda2dadebbbf96b22e7152ad93242943d27ec79ca5cd62ddb21a18f926a6d7b419704641c5c5b3b
-
SSDEEP
98304:xQMV6QGLZdQfePhCko9qE4S473zOEcEe0e:xZ4QGF4Bz473y
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3032-29-0x00000000005F0000-0x0000000000EAE000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.dyndns.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3032 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3032 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Token: SeRestorePrivilege 3148 dw20.exe Token: SeBackupPrivilege 3148 dw20.exe Token: SeBackupPrivilege 3148 dw20.exe Token: SeBackupPrivilege 3148 dw20.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3032 wrote to memory of 3148 3032 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe 89 PID 3032 wrote to memory of 3148 3032 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe 89 PID 3032 wrote to memory of 3148 3032 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe 89 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e89ec8a6d7a50e4f9a68a7ed90f0eea_JaffaCakes118.exe"1⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 16882⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1