Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe
-
Size
422KB
-
MD5
149c09929cb0db3cc3a58f1501a3c9e7
-
SHA1
54529f323a5127c675e56fd9f1a22b3d0254eaed
-
SHA256
7ccea256efc12bb1bdf6bfc282840b8722a4f621ee9649a43f93bcbf6a937746
-
SHA512
36eb5950e45e48d471bbb45335099451fdef3cd40934dbe79a935ad71230a210389935886bc99380d4d575985e7eedf5d5194fb413fa27e788fb27f148495738
-
SSDEEP
12288:n5lVkUbZIRQm2N43IEvK+S2f7W8fNUr6:n3VkUWR52Yv22f7WSNUr
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4440 AUTMGR32.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\start 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\open\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\runas 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\Content Type = "application/x-msdownload" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\DefaultIcon 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\runas 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\DefaultIcon\ = "%1" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\open\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\start 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\ = "secfile" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\DefaultIcon\ = "%1" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Software 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\open\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\runas\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\DefaultIcon 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\start\command\ = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\Content Type = "application/x-msdownload" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AUTMGR32.EXE\" /START \"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\runas\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\runas\command\ = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\runas\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Software\Microsoft 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\open 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\start\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\ = "Application" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\start\command 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Software\Microsoft\Preferences 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AUTMGR32.EXE\" /START \"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\.exe\shell\start\command\ = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\open 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\secfile\shell\start\command\IsolatedCommand = "\"%1\" %*" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE 4440 AUTMGR32.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1664 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4440 1664 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe 82 PID 1664 wrote to memory of 4440 1664 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe 82 PID 1664 wrote to memory of 4440 1664 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe 82 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 PID 4440 wrote to memory of 3468 4440 AUTMGR32.EXE 56 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\149c09929cb0db3cc3a58f1501a3c9e7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\AUTMGR32.EXE"C:\Users\Admin\AppData\Local\Temp\AUTMGR32.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
422KB
MD5149c09929cb0db3cc3a58f1501a3c9e7
SHA154529f323a5127c675e56fd9f1a22b3d0254eaed
SHA2567ccea256efc12bb1bdf6bfc282840b8722a4f621ee9649a43f93bcbf6a937746
SHA51236eb5950e45e48d471bbb45335099451fdef3cd40934dbe79a935ad71230a210389935886bc99380d4d575985e7eedf5d5194fb413fa27e788fb27f148495738
-
Filesize
323KB
MD599e35419b3bdb25033888c6edf8eb1ec
SHA1ea8cd2af81d02954deda773f0f1c1fd6d24d5908
SHA256d0cd588a0475791947fb728c94d25a6c9e5ffb14d08959611c4dd4d118a8a266
SHA51214f7adc1891c2d914e65da0fefeac5d1223304409b076d00869b068674104b0b03083a11742851739be559f0e6c9e09effe99cbcd2a1ae6936897506cf52e16f