Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 10:55
Behavioral task
behavioral1
Sample
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe
-
Size
197KB
-
MD5
15bcae517e5be46a385c5c79994c6e6e
-
SHA1
8d5a3cfa91d82f4f2c71ac7a277d4bb818959560
-
SHA256
2489d37b356fda9b26a6fe9320e3ef0bec0e657da55fdb2c11d98b3c3e739ec3
-
SHA512
8abaf8afa0030a44e5568fd0539a558975b1f7d7dbc1309085e20bcb2729e92949892c2d9762d75d013a2869e45f92d5d23e8ddfb7ee00bdb16a24f61e152e53
-
SSDEEP
6144:8Gjx6PxGvpPkdRpRc6at6oHW9k1UJADkau:8HcvpPkdRpRcNtvzDu
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4464 SMSS.EXE -
resource yara_rule behavioral2/memory/620-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/620-8-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification D:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification \??\E:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\00302.log 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe File created C:\Windows\SysWOW64\com\SMSS.EXE 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 620 wrote to memory of 1340 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 83 PID 620 wrote to memory of 1340 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 83 PID 620 wrote to memory of 1340 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 83 PID 620 wrote to memory of 2956 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 84 PID 620 wrote to memory of 2956 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 84 PID 620 wrote to memory of 2956 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 84 PID 620 wrote to memory of 2844 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 87 PID 620 wrote to memory of 2844 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 87 PID 620 wrote to memory of 2844 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 87 PID 620 wrote to memory of 2536 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 90 PID 620 wrote to memory of 2536 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 90 PID 620 wrote to memory of 2536 620 15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe 90 PID 2536 wrote to memory of 4464 2536 cmd.exe 92 PID 2536 wrote to memory of 4464 2536 cmd.exe 92 PID 2536 wrote to memory of 4464 2536 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15bcae517e5be46a385c5c79994c6e6e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F2⤵PID:1340
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F2⤵PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo ok2⤵PID:2844
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log"2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe|c:\users\admin\appdata\local\temp\15bcae517e5be46a385c5c79994c6e6e_jaffacakes118.exe.log3⤵
- Executes dropped EXE
PID:4464
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5a4089e292d473cc4bee6499633f75ac1
SHA1e3ba401db3ad5df31eb2df48d539f0ace8bbafe8
SHA256ac95862f70201a84124100958d2dced7d02100b2faef8a3e79fd739209552863
SHA51239381d7e9bf788b7ebe0e6a8311e517abc2b8253d0d51ef6d62b8c213ff87126e00d75bcae06898f36cfa33763bd4aae0839bfb1ac6f69de39cf58ccea33aebf