Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2024, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe
-
Size
784KB
-
MD5
4a1b278e22d8bacdb0764a0ef68fa44e
-
SHA1
9d638697c5c1426295e7013e29da5da9fd7b6e08
-
SHA256
7ddeb263d000da9cdad7f64b0fa20eaa6e49452da2c58231cc1f5d1b2075346c
-
SHA512
ebf3bdefe5c17dc65fa227194c5392f381f76a2a9f13d4a79c9bbbdafd886f2ab870599e35e68c3299920b6d91b8459053f5151c463f84a10c338b2f8df24c87
-
SSDEEP
12288:6DvpRBk2lTLqzEPlnvHeASzmR1CXEtwroAOCCE3VkxBH8Y1tz2wASRvBmL9c0zJU:KYARvBAcwioRS
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
ranuranuwcs
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yrUqgjjt.exe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yrUqgjjt.exe.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{cQL735Z8-0X96-97t0-yE9l-18vxfhG6mp3C} yrUqgjjt.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{cQL735Z8-0X96-97t0-yE9l-18vxfhG6mp3C}\stubpath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows Firewall\\WIN32.exe" yrUqgjjt.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{cQL735Z8-0X96-97t0-yE9l-18vxfhG6mp3C}\ComponentID = "Windows Firewall" yrUqgjjt.exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{cQL735Z8-0X96-97t0-yE9l-18vxfhG6mp3C}\ = "Microsoft Windows" yrUqgjjt.exe.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation yrUqgjjt.exe.exe -
Executes dropped EXE 3 IoCs
pid Process 724 yrUqgjjt.exe.exe 1744 UAC.exe 4892 firewall.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Local\\Microsoft\\CurrentVersion\\UAC.exe" yrUqgjjt.exe.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yrUqgjjt.exe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yrUqgjjt.exe.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 whatismyip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 724 yrUqgjjt.exe.exe 724 yrUqgjjt.exe.exe 724 yrUqgjjt.exe.exe 724 yrUqgjjt.exe.exe 724 yrUqgjjt.exe.exe 1744 UAC.exe 1744 UAC.exe 1744 UAC.exe 724 yrUqgjjt.exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1744 UAC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 724 yrUqgjjt.exe.exe Token: SeDebugPrivilege 1744 UAC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 724 yrUqgjjt.exe.exe 1744 UAC.exe 4892 firewall.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2824 wrote to memory of 724 2824 4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe 83 PID 2824 wrote to memory of 724 2824 4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe 83 PID 724 wrote to memory of 1744 724 yrUqgjjt.exe.exe 93 PID 724 wrote to memory of 1744 724 yrUqgjjt.exe.exe 93 PID 724 wrote to memory of 4892 724 yrUqgjjt.exe.exe 95 PID 724 wrote to memory of 4892 724 yrUqgjjt.exe.exe 95 PID 724 wrote to memory of 4892 724 yrUqgjjt.exe.exe 95 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yrUqgjjt.exe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yrUqgjjt.exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yrUqgjjt.exe.exe"2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:724 -
C:\Users\Admin\AppData\Roaming\Local\Microsoft\CurrentVersion\UAC.exe"C:\Users\Admin\AppData\Roaming\Local\Microsoft\CurrentVersion\UAC.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\firewall.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\firewall.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD58e79606214833e936eb4b95726e465de
SHA11d7f3a3ab9864a21bad022be19fb3e8040ec43fd
SHA25684e95480da9f5b3b7de59a5c3f9c1d024c8e195a9e9cb9321782c42a249f1902
SHA5125671b5ea726759784ccfb5964a771b4cd7b2a9d5ee950bc91ec1457998ef0395e555919be2952c518e9be5bce3b8ef6c112dcbc8205adfc0c82698e6143c58f9
-
Filesize
278KB
MD52a40b4e01ffba72885bd4aa3a9cd0dbd
SHA12213b473bef30e87d367c68e951a412e2e03ee46
SHA2561cb99c23c9a8f386315a4defcde54e12d8a29c00c941b524316fbac53e444362
SHA51252ce21bf22f46c5d4e2e17e3b0deb339a7e0a58bdaad554c1be66b9aa2c4ae8a800518aaa22dd16346598d9dad80f9f7239c073a0b5c7bd6f3e8fce6aa1cb392