Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 10:52
Static task
static1
Behavioral task
behavioral1
Sample
346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe
-
Size
46KB
-
MD5
346bb77b4da9f9e1b476ac9571995a90
-
SHA1
2fe1f7ed594c9bccf8bd273038785f28b68c35f6
-
SHA256
fd42eb598834c451e1af67f39b32b31fab411b2d881f21710b3e666cd7ee1500
-
SHA512
4b6f77d7d0a2659c30db2a208ca61143bf25c9c699ff0f6ab27ced27cec280db32147b99cedb5179e568cc168efbd1697e09800ffda7b72bde182926ca51cd50
-
SSDEEP
768:Vvfdzb0EN0rwc5trkAuE8iMnXYV4ook02AHNC08C6LRqkijEzExEWyB9iz3zJXRC:9dzbSAAuE8Z3ook0HCVnRqkiKExHyHiy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation cvuiwgny.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation mzq2qki.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation cvuiwgny.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation mzq2qki.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation cvuiwgny.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 2988 cvuiwgny.exe 1688 mzq2qki.exe 2816 cvuiwgny.exe 2176 mzq2qki.exe 1820 cvuiwgny.exe 1288 mzq2qki.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MzQ2QkI3N0I0REE5RjlFMU = "C:\\ProgramData\\cvuiwgny.exe" cvuiwgny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MzQ2QkI3N0I0REE5RjlFMU = "C:\\ProgramData\\cvuiwgny.exe" cvuiwgny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MzQ2QkI3N0I0REE5RjlFMU = "C:\\ProgramData\\cvuiwgny.exe" cvuiwgny.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cvuiwgny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mzq2qki.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mzq2qki.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mzq2qki.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cvuiwgny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cvuiwgny.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mzq2qki.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cvuiwgny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cvuiwgny.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 cvuiwgny.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe 1688 mzq2qki.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 5008 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe Token: SeDebugPrivilege 2988 cvuiwgny.exe Token: SeDebugPrivilege 1688 mzq2qki.exe Token: SeBackupPrivilege 3676 dw20.exe Token: SeBackupPrivilege 3676 dw20.exe Token: SeDebugPrivilege 2816 cvuiwgny.exe Token: SeDebugPrivilege 2176 mzq2qki.exe Token: SeBackupPrivilege 4064 dw20.exe Token: SeBackupPrivilege 4064 dw20.exe Token: SeDebugPrivilege 1820 cvuiwgny.exe Token: SeDebugPrivilege 1288 mzq2qki.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2988 5008 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe 85 PID 5008 wrote to memory of 2988 5008 346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe 85 PID 2988 wrote to memory of 1688 2988 cvuiwgny.exe 86 PID 2988 wrote to memory of 1688 2988 cvuiwgny.exe 86 PID 2988 wrote to memory of 3676 2988 cvuiwgny.exe 90 PID 2988 wrote to memory of 3676 2988 cvuiwgny.exe 90 PID 1688 wrote to memory of 2816 1688 mzq2qki.exe 92 PID 1688 wrote to memory of 2816 1688 mzq2qki.exe 92 PID 2816 wrote to memory of 2176 2816 cvuiwgny.exe 93 PID 2816 wrote to memory of 2176 2816 cvuiwgny.exe 93 PID 2816 wrote to memory of 4064 2816 cvuiwgny.exe 94 PID 2816 wrote to memory of 4064 2816 cvuiwgny.exe 94 PID 2176 wrote to memory of 1820 2176 mzq2qki.exe 95 PID 2176 wrote to memory of 1820 2176 mzq2qki.exe 95 PID 1820 wrote to memory of 1288 1820 cvuiwgny.exe 96 PID 1820 wrote to memory of 1288 1820 cvuiwgny.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\346bb77b4da9f9e1b476ac9571995a90_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\ProgramData\cvuiwgny.exe"C:\ProgramData\cvuiwgny.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\mzq2qki.exe"C:\Users\Admin\mzq2qki.exe" C:\ProgramData\cvuiwgny.exe 29883⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\ProgramData\cvuiwgny.exe"C:\ProgramData\cvuiwgny.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\mzq2qki.exe"C:\Users\Admin\mzq2qki.exe" C:\ProgramData\cvuiwgny.exe 28165⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\ProgramData\cvuiwgny.exe"C:\ProgramData\cvuiwgny.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\mzq2qki.exe"C:\Users\Admin\mzq2qki.exe" C:\ProgramData\cvuiwgny.exe 18207⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 20085⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 25843⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5346bb77b4da9f9e1b476ac9571995a90
SHA12fe1f7ed594c9bccf8bd273038785f28b68c35f6
SHA256fd42eb598834c451e1af67f39b32b31fab411b2d881f21710b3e666cd7ee1500
SHA5124b6f77d7d0a2659c30db2a208ca61143bf25c9c699ff0f6ab27ced27cec280db32147b99cedb5179e568cc168efbd1697e09800ffda7b72bde182926ca51cd50