Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 20:08
Behavioral task
behavioral1
Sample
5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe
-
Size
654KB
-
MD5
5d7bbd8f8d2858b947ebbbf5e8366c02
-
SHA1
0ebfba42374fea084b32522060a46c14d39e0c4c
-
SHA256
cfb918dff19f116dc17cd08ca2e9aca1d10eb2b8c5239146045154d614d9c240
-
SHA512
44cad738aca3660f598b7661b859c96db9e64e60682b86cb64a2f118f97aaa444548fa63ec5201b75220e9b160ddf53ec369859e5d7f241ea85248fb5eb59d1b
-
SSDEEP
12288:wrmZGB/ZxZ2jcrRKpzqQDaDQx76kvsz3J1R7JiYitaLoSp:wr3VZxZ2C8zqQ+QV6s6Z1N8O
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3144 svcttkt.exe -
Loads dropped DLL 1 IoCs
pid Process 1360 rundll32.exe -
resource yara_rule behavioral2/memory/2816-0-0x0000000000400000-0x0000000001954000-memory.dmp upx behavioral2/memory/2816-51-0x0000000000400000-0x0000000001954000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\GroupPolicy\user attrib.exe File created C:\Windows\SysWOW64\GroupPolicy\gpt.ini cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini cmd.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown attrib.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup attrib.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\user\Scripts attrib.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\System\Ole DB\msadotb.htm svcttkt.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Debug\win.dat cmd.exe File created C:\Windows\ime\winxp.dat cmd.exe File opened for modification C:\Windows\ime\winxp.dat cmd.exe File created C:\Windows\Debug\error.gg cmd.exe File created C:\Windows\ime\scripts.ini cmd.exe File opened for modification C:\Windows\ime\scripts.ini cmd.exe File created C:\Windows\ime\svcttkt.exe cmd.exe File opened for modification C:\Windows\ime\svcttkt.exe cmd.exe File opened for modification C:\Windows\ime\de-DE\svcttkt.ini svcttkt.exe File opened for modification C:\Windows\Debug\tb.dat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2272 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 rundll32.exe 1360 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2272 tasklist.exe Token: 33 3144 svcttkt.exe Token: SeIncBasePriorityPrivilege 3144 svcttkt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3144 svcttkt.exe 3144 svcttkt.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2816 wrote to memory of 4156 2816 5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe 87 PID 2816 wrote to memory of 4156 2816 5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe 87 PID 2816 wrote to memory of 4156 2816 5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe 87 PID 4156 wrote to memory of 220 4156 cmd.exe 90 PID 4156 wrote to memory of 220 4156 cmd.exe 90 PID 4156 wrote to memory of 220 4156 cmd.exe 90 PID 4156 wrote to memory of 1588 4156 cmd.exe 91 PID 4156 wrote to memory of 1588 4156 cmd.exe 91 PID 4156 wrote to memory of 1588 4156 cmd.exe 91 PID 4156 wrote to memory of 2272 4156 cmd.exe 92 PID 4156 wrote to memory of 2272 4156 cmd.exe 92 PID 4156 wrote to memory of 2272 4156 cmd.exe 92 PID 4156 wrote to memory of 4812 4156 cmd.exe 93 PID 4156 wrote to memory of 4812 4156 cmd.exe 93 PID 4156 wrote to memory of 4812 4156 cmd.exe 93 PID 4156 wrote to memory of 1360 4156 cmd.exe 95 PID 4156 wrote to memory of 1360 4156 cmd.exe 95 PID 4156 wrote to memory of 1360 4156 cmd.exe 95 PID 4156 wrote to memory of 3144 4156 cmd.exe 96 PID 4156 wrote to memory of 3144 4156 cmd.exe 96 PID 4156 wrote to memory of 3144 4156 cmd.exe 96 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d7bbd8f8d2858b947ebbbf5e8366c02_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9E24.tmp\sso.bat" "2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:220
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f3⤵PID:1588
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "ravmond.exe"3⤵PID:4812
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
C:\Windows\ime\svcttkt.exeC:\Windows\ime\svcttkt.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3144
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443B
MD5394f21b8b73546aa3346878f6e894d09
SHA1537d99a43b51f7c198c1764ed7a9968658fb13b5
SHA2562b4c65c614ac358f866bd91ae65a32e2b058cc9e4c91baebaf2adc1016e9d2d3
SHA512ae988f7e1f4aef4351fd97fc7c6e8d392b3c9a208486358626b9f17390169a8b508e490d5e948085fa60f0036f68b14b2cde63566d8901229228f2e68447dff0
-
Filesize
1KB
MD587ec8415dca590be1f38a046c1712670
SHA11f7e1d8402a896172e166bd140bc2244df3e8dc1
SHA2567da9f7ec467b93e536f419b762557f04c50f8b830adcc55d407c4832744f376e
SHA512104cb0980f2f3b7a8b36822326b9fb2e14d4e5e4adfeff12566592c114eae9955ab8f5a498e83f9e212365cf77e6cc0c1d299f8a83dcf5cf63f7e14439a2ca02
-
Filesize
11.1MB
MD5877418338a6ec6eef514cf61e9a46de0
SHA127263bbd9841b27a363c1084c21686cbd89cc537
SHA25660c60f19dd38ae9cdb3857c63986504212e154f1d580156d90317027b0c3910a
SHA5127b633efacc552288b6340428a8dee40f7e7a551d1e3beb40bb6ba9afc70a6e2a7be5bfe9c80262f946b6bbae74d05278a6fd81bea3b580aa9b18aa872dd2d758
-
Filesize
1KB
MD5c48370acb2152b96f50eed42c5e0339b
SHA1649f98316924a75adc4167df424946d34cd0db19
SHA256b26417db14dc4acf04e19cbb0fddb22a2b5c427c7a5e586878cd1d1a746678dc
SHA5122f9c966aca621018d039f030f0d5e147d43ed72c0fffa1586d2400f2baf0019201dd2fc5eead557694387f8ae42b9a3820c188120a4db2161d9485e8d7290219
-
Filesize
10.2MB
MD5949947d4f9a3e85fa6e1ff6ba9878912
SHA1ab6cf0c926ab297cd4b7ecd5e93cd74d7cd1baa4
SHA2561a88d5afbe5a769551a40adc45586b655e020cbda6d39018aae2f7e847f03811
SHA5128131c00420ac76549b315847126dd4dd60be4c75ff0870fd2b421a7c6b46240947d627cc9594a15ca124c6e4eb55dd0791e99494c2cbde4841d21d72c7e26661
-
Filesize
119B
MD52cd5adf7925cba6db30dededdd3e2dc4
SHA1c1493f69d49bd873573bffef727fd420a05c5e27
SHA25624949fe14f0579dd361a830325cc7fb57ceff8c01bc2c596d9f50fb1da16580f
SHA5122513bc56188e3f900ddc46ff08ba13cdcf03e387e0198f92db3b3f0d0c411d07f5894d57996142631b79333e507578a3a2f7a9d677c80f0393a75845b469743e
-
Filesize
44B
MD5f1ccc9de1b67d00d55abfea224e65b88
SHA1403e72f73cf9fec96c9410c6e2a4a0d81e1088e4
SHA2564895be9dd90dbca6ce8ebe08bb8f4445926e8dc8cf6629fb722e63f6b047216b
SHA512d871c841a0342342ec5969e1389a964516a31531abc38574f5c46e254886bd4867aa71758ad325b7738b47faf34dfd8f684e06770eb8948e69a04d144d18dc41