Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 00:15
Behavioral task
behavioral1
Sample
053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe
-
Size
582KB
-
MD5
053cf238e7934c1472fd6e99f73d8aa7
-
SHA1
785512e3b6521d75de938be8745bfec6c6523d18
-
SHA256
d2d9a048e2543d8c41c8db1683f6872472b4253cca2ca21fb4db6fe7113b0b66
-
SHA512
acdbaed925d335e09c17cfe3bf480ac7e5a51bc552eb3a3eb60b0752555504decdb81a29403b9d95abf66cab22c220fd44d756275639f3b8c511d4beb0ced7c4
-
SSDEEP
12288:hYFBsdyQrOz4uwSI+KoiwMZPzPFQuh3a7KWh0ZPPD5VoxtFakcekVMWfJ:hfyaA75I+1gzPFQAyPhkXDCSBerWfJ
Malware Config
Signatures
-
Drops file in System32 directory 22 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\yytmp1\24330150\24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\mu24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\filebak 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\24330150\yadviser.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\opfileOneA 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\sx24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\opfilejlA 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\opfilejlA 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\24330150\mu24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\24330150\fj24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\fj24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\filebak 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\syys7.1.6.3.syw 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\24330150\lk24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\yytmp1\24330150\sx24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\opfileOneA 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\24330150\lk24330150.tmp 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536" 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536" 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1816 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1396 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe 1396 053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe 1816 POWERPNT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\053cf238e7934c1472fd6e99f73d8aa7_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1396
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1816