Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe
-
Size
10KB
-
MD5
1aeea49d25b4dc6e42724c9c0d2e9296
-
SHA1
2d5e850c7f8872a994ac3eee8fd14f082e46ce05
-
SHA256
8b2bfe0e55b5ac5bdc545a14b1564d07da18adf59670184f05f6c9f2549ed5d6
-
SHA512
bf3146ed58df01d93d2a5c185c034e2a86ecc95beab81e3501736e0f9e38a7068bcc941df12c10681284f7a76b84939311726eb1ead2e96ded185810991bfd96
-
SSDEEP
192:/TojHDbwLgReF4UjMN2z+Ko4SSFaNJhLkwcud2DH9VwGfctexPe85/OS/oJKWQW8:/TojHDbwIeF4ISRJWaNJawcudoD7Unlo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\nppagent.exe" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger = "C:\\WINDOWS\\system32\\Microsoft\\ctfmon.exe" 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1196 attrib.exe 1136 attrib.exe 760 attrib.exe 1724 attrib.exe 2028 attrib.exe 4100 attrib.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\lnkfile 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3220 wrote to memory of 1080 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 90 PID 3220 wrote to memory of 1080 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 90 PID 3220 wrote to memory of 1080 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 90 PID 3220 wrote to memory of 1104 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 92 PID 3220 wrote to memory of 1104 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 92 PID 3220 wrote to memory of 1104 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 92 PID 3220 wrote to memory of 1852 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 93 PID 3220 wrote to memory of 1852 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 93 PID 3220 wrote to memory of 1852 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 93 PID 3220 wrote to memory of 4508 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 94 PID 3220 wrote to memory of 4508 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 94 PID 3220 wrote to memory of 4508 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 94 PID 3220 wrote to memory of 1088 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 95 PID 3220 wrote to memory of 1088 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 95 PID 3220 wrote to memory of 1088 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 95 PID 3220 wrote to memory of 4348 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 96 PID 3220 wrote to memory of 4348 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 96 PID 3220 wrote to memory of 4348 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 96 PID 3220 wrote to memory of 3896 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 97 PID 3220 wrote to memory of 3896 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 97 PID 3220 wrote to memory of 3896 3220 1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe 97 PID 3896 wrote to memory of 4100 3896 cmd.exe 104 PID 3896 wrote to memory of 4100 3896 cmd.exe 104 PID 3896 wrote to memory of 4100 3896 cmd.exe 104 PID 1088 wrote to memory of 1724 1088 cmd.exe 106 PID 1088 wrote to memory of 1724 1088 cmd.exe 106 PID 1088 wrote to memory of 1724 1088 cmd.exe 106 PID 4508 wrote to memory of 2028 4508 cmd.exe 105 PID 1104 wrote to memory of 1196 1104 cmd.exe 107 PID 1104 wrote to memory of 1196 1104 cmd.exe 107 PID 1104 wrote to memory of 1196 1104 cmd.exe 107 PID 4508 wrote to memory of 2028 4508 cmd.exe 105 PID 4508 wrote to memory of 2028 4508 cmd.exe 105 PID 1852 wrote to memory of 760 1852 cmd.exe 108 PID 1852 wrote to memory of 760 1852 cmd.exe 108 PID 1852 wrote to memory of 760 1852 cmd.exe 108 PID 4348 wrote to memory of 1136 4348 cmd.exe 109 PID 4348 wrote to memory of 1136 4348 cmd.exe 109 PID 4348 wrote to memory of 1136 4348 cmd.exe 109 -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 2028 attrib.exe 4100 attrib.exe 1196 attrib.exe 1136 attrib.exe 760 attrib.exe 1724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1aeea49d25b4dc6e42724c9c0d2e9296_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\WINDOWS\system32\IME\comrereg.exe"2⤵PID:1080
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\IME\comrereg.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\IME\comrereg.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\Program Files\Windows Media Player\wmpband.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Windows Media Player\wmpband.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\DirectX\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\DirectX\Setup.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\nppagent.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\nppagent.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\WINDOWS\system32\Microsoft\ctfmon.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\WINDOWS\system32\Microsoft\ctfmon.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1136
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +s +h "C:\Program Files\Internet Explorer\EXPLORE.EXE"2⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\Internet Explorer\EXPLORE.EXE"3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4100
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:4116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1