Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe
-
Size
800KB
-
MD5
378a921c32c570e516c975b6ca83abb7
-
SHA1
4bb25e842d75e7b741e76d72e4f72506086f2dea
-
SHA256
b8358871d091af47cc36625ab518366999d09202375c74265eb0894892c439b1
-
SHA512
3b05794b4e3a5eab85f9f9633c39ad02a66edc94ec4ca4670c364a36e1d2ae6ce55fa6edc356c271d4a9d8dd7779b13b2067a25f261ad5b94b7ac1d4e9b53506
-
SSDEEP
12288:4mRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5Hpnrzzz:4SStU4gf2EW5A2DJr/kS4vGIk6v3Hff
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4160 RunMgr.EXE 3576 Hacker.com.cn.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\RunMgr.EXE RunMgr.EXE File created C:\Windows\uninstal.bat RunMgr.EXE File created C:\Windows\RunMgr.EXE 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe File created C:\Windows\Hacker.com.cn.exe RunMgr.EXE File opened for modification C:\Windows\Hacker.com.cn.exe RunMgr.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4160 RunMgr.EXE Token: SeIncBasePriorityPrivilege 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe Token: SeDebugPrivilege 3576 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3576 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1188 wrote to memory of 4160 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 86 PID 1188 wrote to memory of 4160 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 86 PID 1188 wrote to memory of 4160 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 86 PID 1188 wrote to memory of 3100 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 87 PID 1188 wrote to memory of 3100 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 87 PID 1188 wrote to memory of 3100 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 87 PID 1188 wrote to memory of 4408 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 89 PID 1188 wrote to memory of 4408 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 89 PID 1188 wrote to memory of 4408 1188 378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe 89 PID 3576 wrote to memory of 1768 3576 Hacker.com.cn.exe 92 PID 3576 wrote to memory of 1768 3576 Hacker.com.cn.exe 92 PID 4160 wrote to memory of 3628 4160 RunMgr.EXE 93 PID 4160 wrote to memory of 3628 4160 RunMgr.EXE 93 PID 4160 wrote to memory of 3628 4160 RunMgr.EXE 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\378a921c32c570e516c975b6ca83abb7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\RunMgr.EXE"C:\Windows\RunMgr.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵PID:3628
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del %SystemRoot%\Debug.exe2⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\378A92~1.EXE > nul2⤵PID:4408
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743KB
MD5eec0bbd268f539876ef3fca7ce446e70
SHA107b4d5119309518584f9c919c840aed551c5986b
SHA256f761f6990cf9a25b48b17fe198ce8768695eb6f278c24c3e218d43bf5f1a6690
SHA512f57de6d4df885ae2a607675a3a0368a14deaceacf6c961057e78691eba2a7f5b6e16836f7087c7f6878a6132a0e02a279d32a916ddb33e4dbcc5014fa2f88d8f
-
Filesize
92B
MD5cb9f71ed6347920d9d54de433ac8b51f
SHA11900d39d3bfee682acce91d71efd8fc1ef22f48c
SHA256b946663364cb8068df25d6b8c349208f534817503d4d68d5faabc5896e1a4970
SHA5126ceb649d961039f5b426dc92059837f6c76c1b98f9ceb4ae751e1746ba97ffd27b31bdf073a3494e50d7fc3c12e241e531bf848eaee1c497eea20570a532d9cf