Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe
-
Size
333KB
-
MD5
460bd9a2df6429fcc2fac0546ac3d0d5
-
SHA1
e99f6b2e38e51b79d7273806b85d3c512672dd92
-
SHA256
a8f5d5105e68655b4eda2dbc2302bf09991121a3776c3967d6cb1ea939d817f8
-
SHA512
5747aef7d0b7eb64ab37e1f7f50425bc6d9fcb1e54ce7d1105860f39128391b99e18afacb83d838ea77183ee76fba3a299c925724e7f6cf6680f458df0b24a98
-
SSDEEP
6144:MRAhhJxX7bNIKTQ/ary6Gpdp+8dbYCWATtANNkd0gcLdk2snWC8k:UsAL/WByCJoMz4Wxk
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983} 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msqii32.exe" 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\vcl32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vcl32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe File created C:\Windows\SysWOW64\msqii32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msqii32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe File created C:\Windows\SysWOW64\concp32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\concp32.exe 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2912 1828 WerFault.exe 82 -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983} 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE18BD14-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 2c1b74ec548a2ae1f1830a6d4037fe1b 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1828 460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\460bd9a2df6429fcc2fac0546ac3d0d5_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 7282⤵
- Program crash
PID:2912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 18281⤵PID:2176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5dfea3b4e0243cdb28133a04ce5eb28cb
SHA1afdb00891efe953c4fbf7b9c52521b07a96504dd
SHA25604cf6964ddf6f48ca0d6b63efcac7e2f239ad739cb080b9637d062031f39fdab
SHA512a554461b505cc367d383d61408170d87346f5b090b283f06e2946fdfed54c0f575439f8bf9a6e0d73318d6e312d57993c8ccc1571f446a53515834f5fb81d5df