Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 00:28
Behavioral task
behavioral1
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
-
Size
158KB
-
MD5
3b51fab717e281580abca9c62aaa9685
-
SHA1
74cd77630ace2fa629405f0665f34f1bb86419c1
-
SHA256
3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
-
SHA512
41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f
-
SSDEEP
3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2895k76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rt04lto.exe" 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rt04lto.exe -
Executes dropped EXE 2 IoCs
pid Process 3284 rt04lto.exe 4600 rt04lto.exe -
resource yara_rule behavioral2/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x000800000002346b-5.dat upx behavioral2/memory/3284-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-24-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\osor.log rt04lto.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3296 sc.exe 3276 sc.exe 4056 sc.exe 4436 sc.exe 2904 sc.exe 3108 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 3284 rt04lto.exe 3284 rt04lto.exe 3284 rt04lto.exe 4600 rt04lto.exe 4600 rt04lto.exe 4600 rt04lto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4660 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 88 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 4056 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 89 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 2352 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 91 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 4436 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 92 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 3284 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 93 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 2368 wrote to memory of 956 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 97 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 4660 wrote to memory of 4336 4660 net.exe 98 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 2352 wrote to memory of 1088 2352 net.exe 99 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 956 wrote to memory of 3888 956 Rundll32.exe 100 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 2368 wrote to memory of 456 2368 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 101 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2932 3284 rt04lto.exe 103 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 2904 3284 rt04lto.exe 104 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 1652 3284 rt04lto.exe 105 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 3108 3284 rt04lto.exe 106 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 3284 wrote to memory of 4600 3284 rt04lto.exe 107 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 1652 wrote to memory of 1704 1652 net.exe 112 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 2932 wrote to memory of 1576 2932 net.exe 113 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 3888 wrote to memory of 3364 3888 runonce.exe 114 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 1700 4600 rt04lto.exe 115 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 3276 4600 rt04lto.exe 116 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 4504 4600 rt04lto.exe 117 PID 4600 wrote to memory of 3296 4600 rt04lto.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵PID:4336
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED2⤵
- Launches sc.exe
PID:4056
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED2⤵
- Launches sc.exe
PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:1576
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:1704
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe -d716208E23EF9D708CB3A634430743C392DB8CDBD85E7C70E3559F88E78AED2BAA8D42B3684F8FEA06D19379885BBCBE3DD1EAD451AB1663A3A034E324F30C1B37C35C36C7971E90554158EC9609B959F6B5C410DA415FAFAEA58EE8659ADE7614017DECCF5EB0DBD1FD986D16CAF9ECBC875B68599C21B2C89AB145AE09F66D78492C96012501FCDB1807A2990552DAD26CB7A7AB44E9BCB970C3E616CB2A67B197C116C285C140D2B7C0852F769C759F69D398AECC99128D4D928A7C7834AAC106F8290D19D20DCEC9C0E9408992F67E957E0A57C3151DE42A1CF5FF93F38EFBA062A26E654BA0B9796A7366DA76B28EFDA9CB5DCAF71C5229272FA4CB794FFA84656FC800895210DEA310D0F46C1073999DBE2C6E9C55EF5C28BC348E5C4FEABE79364F7BCA79A6D534A351806B55939EF49F331B363517C4FDAADB6CF6D10D494AD14E539258E1AC0CDEEEF210BD7A083D3B158999FB7B75559FEA0AF73F775F6B2F52371845CB55CD8BC3E3FCA595E93A6F5B3390E6CE9A3481E4FE3FC181D29EF30CA93799A1D7BC944EEEE3691A5443004FBC986F8911C21474B446D7D9F14F1873290F9AC75E23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵PID:1700
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:3600
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
PID:3276
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:4504
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵PID:4480
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
PID:3296
-
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:3364
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\g9ngajqf.bat2⤵PID:456
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5bc686b5b5dfc9fe33f1b9298988ffea4
SHA10f4aa7406da22b81e1e8c0413ede8f4d6077e063
SHA256134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816
SHA5126b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335
-
Filesize
413B
MD5ce1f2d7c8e36f3c085a5d281b9ebeb2f
SHA1bbbfae948d625afe50f66f34282bda3974cfdce5
SHA256312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c
SHA51289f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e
-
Filesize
158KB
MD53b51fab717e281580abca9c62aaa9685
SHA174cd77630ace2fa629405f0665f34f1bb86419c1
SHA2563a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
SHA51241502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f