Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 23:51
Static task
static1
Behavioral task
behavioral1
Sample
4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe
-
Size
214KB
-
MD5
4752613c27f2f00cddeb6a386f8aa5d8
-
SHA1
e81b430b449280ec1532a4837acb93ad9b6d82b4
-
SHA256
5711763ca9e634402deb3a946ffdfeaee94370cfd66a9d64197823136d1f6d52
-
SHA512
0573cb4e2b16f4417a8c28b68a0809616d0bc5d5d23cc4936af6ec3af6f2bdae483f68c380f6df7069cb66f0fc0df98ea75c3f8c9edd4ae4644f13b11319fb62
-
SSDEEP
6144:HOoSZt0D4Mn/Rth3ffBhXN2dShLImOBi:uVs/VXN2dSh1OBi
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\bootinit.bat" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3900 netvdm.exe -
Loads dropped DLL 4 IoCs
pid Process 3900 netvdm.exe 3900 netvdm.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\bootinit.exe 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\Updata.log 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\safetray.exe cmd.exe File opened for modification C:\Windows\SysWOW64\safetray.exe cmd.exe File opened for modification C:\Windows\SysWOW64\bootinit.exe 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\bootinit.bat 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\Winsock32.dll 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\netvdm.exe 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\delini.bat 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe File created C:\Windows\SysWOW64\netvdm.exe netvdm.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "1" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "2" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "2" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "0" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "2" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "\"360SEC\"" 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3900 netvdm.exe 3900 netvdm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 3900 netvdm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4792 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 86 PID 3852 wrote to memory of 4792 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 86 PID 3852 wrote to memory of 4792 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 86 PID 3852 wrote to memory of 4344 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 87 PID 3852 wrote to memory of 4344 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 87 PID 3852 wrote to memory of 4344 3852 4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe 87 PID 4344 wrote to memory of 3900 4344 cmd.exe 90 PID 4344 wrote to memory of 3900 4344 cmd.exe 90 PID 4344 wrote to memory of 3900 4344 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4752613c27f2f00cddeb6a386f8aa5d8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c _dcp.bat2⤵
- Drops file in System32 directory
PID:4792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\delini.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\netvdm.exeC:\Windows\system32\netvdm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136B
MD53b50ff530f0514428687661f243735f3
SHA149c9c20e6b15a887620d4fa7942ebf54526f1b89
SHA25606e13b774881074b8fd61159285c4e12540cd1de9287971754501a2775328822
SHA5128d4d7b3cc26b0d4d3f0d172657dd611b487537e35b04953519e2c7bdfedd34524470ab5727669ed309ce4d9b6fc76c737c8dbb6b64c6a6391ff4a49fdd2598e2
-
Filesize
68KB
MD5ef1eee4e97160d2ba08ab7ed7bd4b521
SHA12fb432a2795012e771a71a5caa34ee86de9dec35
SHA2561bd51a87a98051207ab944c63d2e64ee70ec5a28079ede06f60487977e95ad8d
SHA512fd7fabad0dc6bf93d20dd8ce76ef305aea24da6bc31a7881916896cae9728ca5adad0fde51bc6ed70bdbf2fed7bbc9b7135aa96e1d796fa67687607002ea8fc7
-
Filesize
162B
MD50b418c94323a2cfce4e54dc23890d00e
SHA148064967a41d2f857048a2f6fa934aaa48e0b72f
SHA25637dde2862d1696ae62f85902a5f0b9e0f652520c149ca43b0480ecb8fb6536ec
SHA512a366f461f245b9823a1e6cf585ebb20995be6c10dd5d0e79759d0c35ca8d9cf53be594fd14791e99f4bfdb8c897f25be34b34c18ec4adc947464b97c8dc2855e
-
Filesize
16KB
MD5121eea2226eaaffed29a2d345b172e08
SHA19e0400759de5f4b77355583bf70edf8b2db0b753
SHA256943db5ec979505887bd5158c1d69e0d0b770a7ac9b836e7f62e6860d7b16a7e7
SHA51263862dcc3ee11e7a9fb50468c73e4ed8deef3d8992dde9abe35f93e3a75b6248f3f451d6d5869b42f27d8c623c4aaee9d174250f264f832e9fdb16499c6ff881