Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 09:59
Static task
static1
Behavioral task
behavioral1
Sample
60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe
-
Size
166KB
-
MD5
60058771844545cbf6c53ced634af4a5
-
SHA1
91af686df0b426fc78b3f8b34bb9f1f6beec1f31
-
SHA256
c2e41bcb037e2b6acda4700d6c70f1a0fe056e61d277ca39b978c6411d089bc8
-
SHA512
a2d5a3cfa15560b6afa1b6f8eee97477a990502c30b73034f75b543b7e3f6fa816612eae2d187d47d6283f73932cfbdc31be55530ea1c3f2ebc6bcf07a2ce9bb
-
SSDEEP
3072:2DZ8aYdmuZenediG9oSYnQCAkiNswhxIm6Wiy+Ysft8e1s7I:65eeQiuRYnQCpiLI5y+YE8qA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3576 vvifkm.exe -
Loads dropped DLL 1 IoCs
pid Process 3576 vvifkm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 16 IoCs
pid pid_target Process procid_target 1688 2536 WerFault.exe 83 4560 2536 WerFault.exe 83 1932 2536 WerFault.exe 83 2408 2536 WerFault.exe 83 4608 2536 WerFault.exe 83 3232 2536 WerFault.exe 83 2304 2536 WerFault.exe 83 4172 2536 WerFault.exe 83 2404 3576 WerFault.exe 111 3756 3576 WerFault.exe 111 3156 3576 WerFault.exe 111 988 3576 WerFault.exe 111 1836 3576 WerFault.exe 111 1224 3576 WerFault.exe 111 4908 3576 WerFault.exe 111 448 3576 WerFault.exe 111 -
Kills process with taskkill 1 IoCs
pid Process 2704 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3144 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3576 vvifkm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2704 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3576 vvifkm.exe 3576 vvifkm.exe 3576 vvifkm.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3576 vvifkm.exe 3576 vvifkm.exe 3576 vvifkm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4636 2536 60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe 102 PID 2536 wrote to memory of 4636 2536 60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe 102 PID 2536 wrote to memory of 4636 2536 60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe 102 PID 4636 wrote to memory of 2704 4636 cmd.exe 105 PID 4636 wrote to memory of 2704 4636 cmd.exe 105 PID 4636 wrote to memory of 2704 4636 cmd.exe 105 PID 4636 wrote to memory of 3144 4636 cmd.exe 108 PID 4636 wrote to memory of 3144 4636 cmd.exe 108 PID 4636 wrote to memory of 3144 4636 cmd.exe 108 PID 4636 wrote to memory of 3576 4636 cmd.exe 111 PID 4636 wrote to memory of 3576 4636 cmd.exe 111 PID 4636 wrote to memory of 3576 4636 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 6242⤵
- Program crash
PID:1688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 7322⤵
- Program crash
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 8602⤵
- Program crash
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 7522⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 10082⤵
- Program crash
PID:4608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 10322⤵
- Program crash
PID:3232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 8442⤵
- Program crash
PID:2304
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2536 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\60058771844545cbf6c53ced634af4a5_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\vvifkm.exe -f2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 25363⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:3144
-
-
C:\Users\Admin\AppData\Local\vvifkm.exeC:\Users\Admin\AppData\Local\vvifkm.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 8764⤵
- Program crash
PID:2404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 9044⤵
- Program crash
PID:3756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11804⤵
- Program crash
PID:3156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12004⤵
- Program crash
PID:988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12084⤵
- Program crash
PID:1836
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12204⤵
- Program crash
PID:1224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12324⤵
- Program crash
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11884⤵
- Program crash
PID:448
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1522⤵
- Program crash
PID:4172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2536 -ip 25361⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2536 -ip 25361⤵PID:4280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2536 -ip 25361⤵PID:3296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2536 -ip 25361⤵PID:532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2536 -ip 25361⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2536 -ip 25361⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2536 -ip 25361⤵PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2536 -ip 25361⤵PID:2200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3576 -ip 35761⤵PID:1644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3576 -ip 35761⤵PID:2564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3576 -ip 35761⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3576 -ip 35761⤵PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3576 -ip 35761⤵PID:1468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3576 -ip 35761⤵PID:1648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3576 -ip 35761⤵PID:2692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3576 -ip 35761⤵PID:1072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD560058771844545cbf6c53ced634af4a5
SHA191af686df0b426fc78b3f8b34bb9f1f6beec1f31
SHA256c2e41bcb037e2b6acda4700d6c70f1a0fe056e61d277ca39b978c6411d089bc8
SHA512a2d5a3cfa15560b6afa1b6f8eee97477a990502c30b73034f75b543b7e3f6fa816612eae2d187d47d6283f73932cfbdc31be55530ea1c3f2ebc6bcf07a2ce9bb