Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 09:00
Static task
static1
Behavioral task
behavioral1
Sample
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
Resource
win10v2004-20240226-en
General
-
Target
a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs
-
Size
497KB
-
MD5
a8db020bc02e6fbcaac5aeb301cdc38e
-
SHA1
db5088a363771d518572fdf0e9b4c62f70314251
-
SHA256
1816a9023320b892c54fc1abdc4ba3177ae9ecee4f145efa71d290b357eb1061
-
SHA512
50eb95130a192ef4c622007cf6075bbbdcddd80b81298136c9f1ccaecf7e2b8f71474e3d2a5de178e81b9a76a54edb1d65a7951992db4c240590f50ed88e7a9b
-
SSDEEP
384:WRWRQ2wCLNka39k5/8xd9f3K2qIVT4CzztUakZN7llfR:lRMo39k5kxvf3K2LVrtUnR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 792 MSBuild.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2484 set thread context of 792 2484 powershell.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4764 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2644 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2484 powershell.exe 2484 powershell.exe 2484 powershell.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2644 EXCEL.EXE 2644 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE 2644 EXCEL.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3192 wrote to memory of 4764 3192 WScript.exe 92 PID 3192 wrote to memory of 4764 3192 WScript.exe 92 PID 1536 wrote to memory of 2484 1536 WScript.exe 105 PID 1536 wrote to memory of 2484 1536 WScript.exe 105 PID 1536 wrote to memory of 5020 1536 WScript.exe 114 PID 1536 wrote to memory of 5020 1536 WScript.exe 114 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 PID 2484 wrote to memory of 792 2484 powershell.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8db020bc02e6fbcaac5aeb301cdc38e_JaffaCakes118.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn 7rwmxwqnly /tr C:\Users\Admin\AppData\Roaming\zf8sw.vbs2⤵
- Creates scheduled task(s)
PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:1980
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\zf8sw.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Roaming\MSBuild.exe"C:\Users\Admin\AppData\Roaming\MSBuild.exe"3⤵
- Executes dropped EXE
PID:792
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ExitWatch.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
68KB
MD531df585e07534ce9882e8774e686d7b2
SHA13b93407c3dfd7487e75df8e9572ad8c673482dff
SHA2569b8168747212670ed7b2ee4d67f3b3965e2d2295866dcfef4e85d486f61c9f43
SHA51219170eae9b4e09d2cdd6903266b575ff96e48456a5cc740bd3e6f062c941de95916887fe4b4c9f53ee3071a77f69f14a4a8d35362cf1c55de985b5c896c0ad6b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5886fdcd42d951a7aaef89bedb8d3570f
SHA1aad31e50c5aa4400e661df36ae2a99fd55222476
SHA256686b25331dc8ad410f09f167915bc3aa87980d569d572cb9fdaab69bb916ba71
SHA5122762057e8e987eb831ffd1f809d03598a7722f5c3de2b3e3061636d403915fa0d0b86e79d72efcabc42874d1eba117f9921199c119d8ecb15c8d20435fd59c20
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD584bfc7776332dfa33e74e5a4d659cb17
SHA1fc24fb1a215eb9223348c91d73f231d77929c153
SHA2564d8d2973128829a3f2eb06a8e3d218cce0716b345c2cfaf979f9aa6a93c9a7b1
SHA51260b752df213436fc5c10493e4ae850ba97c706306d8acb8d38c879967f9c0e9c516ab5232ed163da5782e68d48b7c783240ce25afeb9788ef90a74746adeb29a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize660B
MD5c1eacc193c4fabec709b3a3b53e21bf0
SHA178f6e6d90467c3f28fc819249f4bfca99898e852
SHA256bca83c3911e15190edfe72d01e59959152b5b8e615f613ad7187ec1dd1281ba9
SHA512d24a426a8fc22d2ff3b5255df8293181c22c14a09efaa835ebe7a5e24aec83814e4dc32bd52143a401846f824489a39254b84fc338fe38a54b06deed4e56f459
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
Filesize
3KB
MD5ea02e016f6055816ec412c67f231716a
SHA12cf3ef3de7c24782b2c25f4593a23ce94a9fdf4e
SHA25602f185758145e8bc633df90fbca878766390d06be41b735911da9733bcaa4980
SHA51221fcacc0b7964fe12f309f606ab8d2782469e3862a10e741d0980fd615447fb71e233d81098ee2fe6d448d1dc7e3869c44d51017ed4b010d75419b3b2a526ebe