Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 08:30
Static task
static1
Behavioral task
behavioral1
Sample
6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
-
Size
593KB
-
MD5
6282fe5a6419462915a66eb2999dfd2a
-
SHA1
077c0ccb181bb1f767dc3960aa571016e25dfa75
-
SHA256
203c04461f229a0f0acf628c644a588b462d7de683f0086154ebd57b6b0e5b49
-
SHA512
03ec34262d5060e48cb627b586a047f463b54cad74a80a64bca58ee2a91729f2bf4e62a4dba6964a52b76352d4482992ea3163b05e56f62508c4a7c59ec7de3b
-
SSDEEP
12288:GpyuQvBorRimccTxKosx4UwuNjdRLB+9lf76GGsV3ReLiKzgqR:GpyubrRimjsxouBzLAPfZn3g2KzgqR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4536 2815.exe 4236 WinXPs.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\2815.exe 6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\WinXPs.com 2815.exe File opened for modification C:\Windows\WinXPs.com 2815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3776 4536 WerFault.exe 87 396 4236 WerFault.exe 91 -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WinXPs.com Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" WinXPs.com Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" WinXPs.com Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" WinXPs.com Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" WinXPs.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4536 2815.exe Token: SeDebugPrivilege 4236 WinXPs.com -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4236 WinXPs.com -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 4536 2156 6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe 87 PID 2156 wrote to memory of 4536 2156 6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe 87 PID 2156 wrote to memory of 4536 2156 6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe 87 PID 4236 wrote to memory of 5108 4236 WinXPs.com 94 PID 4236 wrote to memory of 5108 4236 WinXPs.com 94 PID 4236 wrote to memory of 5108 4236 WinXPs.com 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\2815.exe"C:\Windows\System32\2815.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 5163⤵
- Program crash
PID:3776
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4536 -ip 45361⤵PID:2220
-
C:\Windows\WinXPs.comC:\Windows\WinXPs.com1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 5162⤵
- Program crash
PID:396
-
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe2⤵PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4236 -ip 42361⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD55f508dea688139638c9a73dd03b580eb
SHA17a16b6dbb81af07378cd568ace3af897b397410a
SHA256ddd9676f893da8eb1c0570c094e94bc3cad4e35e9c519cc3a95c46811c7bb703
SHA512da517ca4fbce3d655ebdad8fc7f4cc54100d58e5cb4efefd91647734c2af719a83326c7794c6cf3d177f92406c6c3a46d58151fdc14637126bb7698c7b3e96d9