Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
675893111f243b965cbf829005f0612c_JaffaCakes118.exe
-
Size
47KB
-
MD5
675893111f243b965cbf829005f0612c
-
SHA1
bb0f943d4373b30297f02ba3f6c4746faf25a731
-
SHA256
5d36244f243c33c7f0700231d92558d7ea84975310fb34900b7265560ee99e99
-
SHA512
60ee509f19d417209504936521f0494560d331b1f1c9499cb58fdaf6158786604d10135d1a7e97bcc93078aacf03a291fc3d58f982d3b8f60fec756e22393cf0
-
SSDEEP
768:8PZ7qtPegxpQozpzpn7UM4epXNeyvrvlTaXRubLrlFLy/CoNh/BRijM1/f/nKXlB:DBtQOzJUMRNXvxTaXEpI/7hz/3n6B
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31120627" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428499272" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1FB6548B-48E7-11EF-9338-4A319C7DE533} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4096198303" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4097760877" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4096198303" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31120627" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120627" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120627" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4097760877" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: 33 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2480 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2480 iexplore.exe 2480 iexplore.exe 1360 IEXPLORE.EXE 1360 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4624 wrote to memory of 5084 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 84 PID 4624 wrote to memory of 5084 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 84 PID 4624 wrote to memory of 5084 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 84 PID 5084 wrote to memory of 2480 5084 cmd.exe 87 PID 5084 wrote to memory of 2480 5084 cmd.exe 87 PID 2480 wrote to memory of 1360 2480 iexplore.exe 90 PID 2480 wrote to memory of 1360 2480 iexplore.exe 90 PID 2480 wrote to memory of 1360 2480 iexplore.exe 90 PID 4624 wrote to memory of 2480 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 87 PID 4624 wrote to memory of 2480 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 87 PID 4624 wrote to memory of 1508 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 96 PID 4624 wrote to memory of 1508 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 96 PID 4624 wrote to memory of 1508 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 96 PID 4624 wrote to memory of 4712 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 97 PID 4624 wrote to memory of 4712 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 97 PID 4624 wrote to memory of 4712 4624 675893111f243b965cbf829005f0612c_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\gos951C.bat"2⤵PID:1508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.bat"2⤵PID:4712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
307B
MD56a1a7b971a636bc7c4ed9b4517f2bce8
SHA1405d39446276c0c205992fe587ca98942af887bf
SHA2564ab7b5220309fa971de52ca25dc8ec56aba54703ebc4b82cb4f2a35c34edfb0c
SHA512504177882d594ed16277416ec7c392ade5a382e16e0dbbed735c17315d88ba3b8c10660bdcd099d9592d6eb71ae2854692696555fb124fae8ef6fe41c7de1358
-
Filesize
190B
MD5611126ad8d153a8933c2436b144e136a
SHA1f740256eaab2c588089dc3d3cd59225ad15ec8fd
SHA256d16a1d32535f150ac488d729e48ddcfc3a3a96d6a3f712a285bf53bd700ac3b1
SHA5126c9bbc3ac0afece5a04b69471875c0d6cce47ad87f1ff8c7c0f67fc70bbc01cb46db690b08a0c239f26c39b345d3ad76001b4b41c4aeb6d5b9fd0a87c60bd646
-
Filesize
26KB
MD5a5f25b49632f6e91e0a0e8fa0465473f
SHA194a246dea7f6eeadedeacc3df3f353ddea306389
SHA256a000322d6d7ee57b072461f651ecc6feecd5f3441d5353931ab7ab660cfaf913
SHA51285765a3cd9b4c9b1031e0c2d3107ab74da0eef82f7712527e87e85164e718c5cc2e00080326b2fe99764602984d3817e96cda127c1d02cf8ddbc4b99f7141088