Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe
-
Size
149KB
-
MD5
427d98ce83712423dd5f06af0ef50b1c
-
SHA1
c2fd6446feb577bd8ee2d463f09bcb3455fea73d
-
SHA256
922ed7eb780628227c566eec0d2dd7a3ec26d2f631edcfd555ff0eba3f65a925
-
SHA512
9feac20193dd044712b5d837e372e284cea9a065ce427413a5fae89050fa3897ea1cff3a196aa6e96eb6d23e5dd4588b8756b9c82d17a816af4babc5c083bd86
-
SSDEEP
3072:WwvyIUMmPhjAXRE0Ck3fGgOABWToz/n71dBoTlROl5KI1EGZqO:4MmPhjKRPGOlf1o3Cp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1404 unself.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\lpk.dll unself.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2080 1404 WerFault.exe 83 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4436 WINWORD.EXE 4436 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE 4436 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 320 wrote to memory of 1404 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 83 PID 320 wrote to memory of 1404 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 83 PID 320 wrote to memory of 1404 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 83 PID 320 wrote to memory of 4436 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 88 PID 320 wrote to memory of 4436 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 88 PID 320 wrote to memory of 396 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 89 PID 320 wrote to memory of 396 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 89 PID 320 wrote to memory of 396 320 427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\427d98ce83712423dd5f06af0ef50b1c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\unself.exeC:\Users\Admin\AppData\Local\Temp\unself.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 2563⤵
- Program crash
PID:2080
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\招標項目.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\427D98~1.EXE > nul2⤵PID:396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1404 -ip 14041⤵PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
88KB
MD5de84a438ef886bb834923b4e21dc1236
SHA1d6652d76167118b616f36ef41fe9a1d03c468bed
SHA256e537a97377d368fca1d9c2431f38d3c227d06a6a588fc0ea0d4ee47ab53162ce
SHA512fa3e3b42bdb58f2922567fac2aa99652c6e94539839ab58d522f8ff5080ced3d380017493637d4a041185b778e48549c8182ba5bc00e2b49d5269f219eaa5e90
-
Filesize
29KB
MD56c77f20529a7bb180a5005421f422952
SHA11b43ae9ff2861721ccb726786c363b24634ca429
SHA25631ef3fcfa28d0f5cb10d468b58755b24078448ac5c0ff93a8ab09b20527a7bfc
SHA5123d397b442bc1887053e9779acc9f477917e8c9e39c6e022deba36da422a6cab9bc3070cadb65a3c34434d4b32729e5b23f837552b61ad9f71047475f44dc8041
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5abc045f49448412320130d12252aefb0
SHA14e21c64d04c9df8efbc8c3e869519f575257d87b
SHA256d3475022ce18b3c9840baf428e790a0cf65839adf8fa73eaea8a2fb21867cd40
SHA512dabad1f35a5f9a5d645d8fdc644d394d4345dda917cd2daf9de223ef2e501481177fba41f8544ade1715f65357b5a8670406b00d29def29559096484902f849a