Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17/07/2024, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
520d488564da102f5482fcfdcdbd266a
-
SHA1
45deee8360e5af17ca04f4bc0fd2c52ae92eb9f0
-
SHA256
e7969800b4ea77a3719a6ba3127bd561a439323d75f6d61e22e5c64b316768c7
-
SHA512
e2c4f46dcf40b8f03bc9fbe0f0cecf933d2825788b0e9f270e7e7ae8a60174d1b7fc778870aa7ce7ba5cb464f28cc5842d043fc93535921749d186e414f51906
-
SSDEEP
49152:IF/dnNIXDMIHun5tfySS2wMyw4jVrAGuM2:
Malware Config
Extracted
C:\ProgramData\readme.txt
conti
http://contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion/
https://contirecovery.click
Signatures
-
Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
-
Renames multiple (7319) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tr_get.svg 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\download.svg 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\bg.pak 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover_2x.png 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\readme.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\ui-strings.js 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Social 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\vscroll-thumb.png 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2452 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe 2452 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 3688 vssvc.exe Token: SeRestorePrivilege 3688 vssvc.exe Token: SeAuditPrivilege 3688 vssvc.exe Token: SeIncreaseQuotaPrivilege 2416 WMIC.exe Token: SeSecurityPrivilege 2416 WMIC.exe Token: SeTakeOwnershipPrivilege 2416 WMIC.exe Token: SeLoadDriverPrivilege 2416 WMIC.exe Token: SeSystemProfilePrivilege 2416 WMIC.exe Token: SeSystemtimePrivilege 2416 WMIC.exe Token: SeProfSingleProcessPrivilege 2416 WMIC.exe Token: SeIncBasePriorityPrivilege 2416 WMIC.exe Token: SeCreatePagefilePrivilege 2416 WMIC.exe Token: SeBackupPrivilege 2416 WMIC.exe Token: SeRestorePrivilege 2416 WMIC.exe Token: SeShutdownPrivilege 2416 WMIC.exe Token: SeDebugPrivilege 2416 WMIC.exe Token: SeSystemEnvironmentPrivilege 2416 WMIC.exe Token: SeRemoteShutdownPrivilege 2416 WMIC.exe Token: SeUndockPrivilege 2416 WMIC.exe Token: SeManageVolumePrivilege 2416 WMIC.exe Token: 33 2416 WMIC.exe Token: 34 2416 WMIC.exe Token: 35 2416 WMIC.exe Token: 36 2416 WMIC.exe Token: SeIncreaseQuotaPrivilege 2416 WMIC.exe Token: SeSecurityPrivilege 2416 WMIC.exe Token: SeTakeOwnershipPrivilege 2416 WMIC.exe Token: SeLoadDriverPrivilege 2416 WMIC.exe Token: SeSystemProfilePrivilege 2416 WMIC.exe Token: SeSystemtimePrivilege 2416 WMIC.exe Token: SeProfSingleProcessPrivilege 2416 WMIC.exe Token: SeIncBasePriorityPrivilege 2416 WMIC.exe Token: SeCreatePagefilePrivilege 2416 WMIC.exe Token: SeBackupPrivilege 2416 WMIC.exe Token: SeRestorePrivilege 2416 WMIC.exe Token: SeShutdownPrivilege 2416 WMIC.exe Token: SeDebugPrivilege 2416 WMIC.exe Token: SeSystemEnvironmentPrivilege 2416 WMIC.exe Token: SeRemoteShutdownPrivilege 2416 WMIC.exe Token: SeUndockPrivilege 2416 WMIC.exe Token: SeManageVolumePrivilege 2416 WMIC.exe Token: 33 2416 WMIC.exe Token: 34 2416 WMIC.exe Token: 35 2416 WMIC.exe Token: 36 2416 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2452 wrote to memory of 3144 2452 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe 92 PID 2452 wrote to memory of 3144 2452 520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe 92 PID 3144 wrote to memory of 2416 3144 cmd.exe 94 PID 3144 wrote to memory of 2416 3144 cmd.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\520d488564da102f5482fcfdcdbd266a_JaffaCakes118.exe"1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
867B
MD50e1b5789055ef20f16251ac1358b8b27
SHA170f73dbf8592e379d7b2c702d77d0d41cc516016
SHA256651bb8f94deeabeddfa0685742425902ae1a2fce599d0f7d20979832eb2b5080
SHA512e3d38553e076fda1da0474854493ac05342ed248187512f7e26335c608b05a25f514ae8e9006319c5da6d0c97a4bc93182a51e1f37a9b713378604db8ada067a