Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
46fe2546a2c1bb35f6860a18569921f9
-
SHA1
1a569d1e2fb57962ae11e0dd29698e91287e5d80
-
SHA256
d14393e4d8803103b4b0534adeec6cacacfb0a1c726629680478d9d413f8c232
-
SHA512
4796a24467166ad81a82ad758a3caeaac9f32a1ddd6ad456fd4d94bee0755803dbe1be8b8c1d09254a8152831b44590186336969144dbe9a40ef940865c89867
-
SSDEEP
49152:HUGEBRAokI3bXPcWxdTi5YP6K+b0CNYr8yfBbvX5E5beeFX6K:HbORnkI3bfcOdT8Q6KzCNYrDX54jFD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation scrss.exe -
Executes dropped EXE 3 IoCs
pid Process 1416 setup.exe 4716 foxybot.exe 544 scrss.exe -
Loads dropped DLL 4 IoCs
pid Process 544 scrss.exe 544 scrss.exe 4716 foxybot.exe 4716 foxybot.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scrss = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 4684 reg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1416 setup.exe 1416 setup.exe 544 scrss.exe 544 scrss.exe 544 scrss.exe 544 scrss.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4716 foxybot.exe 4716 foxybot.exe 4716 foxybot.exe 544 scrss.exe 4716 foxybot.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3624 wrote to memory of 1416 3624 46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe 87 PID 3624 wrote to memory of 1416 3624 46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe 87 PID 3624 wrote to memory of 1416 3624 46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe 87 PID 1416 wrote to memory of 4716 1416 setup.exe 88 PID 1416 wrote to memory of 4716 1416 setup.exe 88 PID 1416 wrote to memory of 4716 1416 setup.exe 88 PID 1416 wrote to memory of 544 1416 setup.exe 89 PID 1416 wrote to memory of 544 1416 setup.exe 89 PID 1416 wrote to memory of 544 1416 setup.exe 89 PID 544 wrote to memory of 2460 544 scrss.exe 90 PID 544 wrote to memory of 2460 544 scrss.exe 90 PID 544 wrote to memory of 2460 544 scrss.exe 90 PID 2460 wrote to memory of 780 2460 cmd.exe 92 PID 2460 wrote to memory of 780 2460 cmd.exe 92 PID 2460 wrote to memory of 780 2460 cmd.exe 92 PID 780 wrote to memory of 4684 780 cmd.exe 93 PID 780 wrote to memory of 4684 780 cmd.exe 93 PID 780 wrote to memory of 4684 780 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\foxybot.exe"C:\Users\Admin\AppData\Local\foxybot.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4716
-
-
C:\Users\Admin\AppData\Local\scrss.exe"C:\Users\Admin\AppData\Local\scrss.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f5⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f6⤵
- Adds Run key to start application
- Modifies registry key
PID:4684
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD5c43bd7836a8cf448f69638e14889ace4
SHA1b7cdd6cabefdecad0f27f0c56215661e3fe2bb60
SHA256c5d8cfcd50c0a777ec07376edcb4a80b2e22bb8d115c2d2f5718022fb78e82d9
SHA512077301b1326b81e6069d66e7ddf6605809b74db34a4b131994089bd49787d172052e70ee980b66915bf665385355a80da6a5981bc5f1971b74145f499e73adf2
-
Filesize
752KB
MD55e0aafdd4d056ef8889fd8d83357708d
SHA15d30e99d2d557bb947bf4b1677ba70745741a491
SHA25605c24fe54f55d1d54d56908d5e9f55672d1eda52cda1e1fff73ca9e2cb83dfe2
SHA51258ebd0918521a1e2262e69cd1ccb46c50d908a814e18985bb518f61e88891cbbf074fb449dd4e792efcaa1183b451c4bdf35d3d713593bd14b0ac9803e03a153
-
Filesize
238KB
MD58380322522bb509450441bfd9eb341be
SHA16e72ee00e97d26bd62d956f87d5a8e83fa70104a
SHA2561bfe346c455fa962ef1113b0ab6915a4b290ddaad7618c94caa8a3f17e2be71e
SHA5127faa191d0750408db656762f9a98ec56968a88a3c8672b7135576544c67d76370e85634604e3b8d35b2d64ff2a7cfbac75f8f22ee900ba25b957ca1123071c5e
-
Filesize
444KB
MD57d4ccd44a98e70fab7c6407d8e5b096d
SHA141213e37f0e53c0240f0b1fc76d7fa4dc25a0ca1
SHA25600a6a5b368d6ad0fa0dee0e65319e51836e90ec6de1d493c4ee2a5b6160a635c
SHA51243a2f8066c4e9f926c052cdc08b4c2716fac909d7fa17f076c0ed5e15962ab8b4b099daa183c28ca8676a12d330daf0a46ebe2bc626aa7cfa8a8f570ad9e7aa5
-
Filesize
1.6MB
MD5156c2ea4b91c579724a7cbe9aa7cfc3c
SHA1a1def009885f358162e25eb2ee6fdc7bf4b1bd84
SHA256c1c4cc0f02fad9726546d0cb0632e369e5392ee4113642099d90dbcfb5b231eb
SHA512183c7a62bb1e1ecb78e53e95fe64b3e89edc2248d4d1f84ae877138b4f11e39b07235d338faa8a5906af0ecff5e33e605c0b8d930c69b1f5edf79eedaea38baa