Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24/07/2024, 01:24
Behavioral task
behavioral1
Sample
69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
69bb96ddc8f289d60c0e8d42a18aab32
-
SHA1
fe18c035c76fa49bf4f18b6aa93616087264215f
-
SHA256
68d79b1a2a6b6e3bd09918b0254bc0e3d6e9b0eb10d500ba578d564368c4cb36
-
SHA512
b6888d35bc6f78116ab9825cc7951f1ee276acdda7cf1e0ae83a088075e1bea7dee907a8357cc603e3dee7027ecb7a650a5db62bb617adf250ecf9ae9383b401
-
SSDEEP
98304:EQppZVYBcakctG6wts6b03cakcTzqjcakctG6wts6b03cakcO:tMdlBwttbSdlTWdlBwttbSdlO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1580-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x0009000000023412-12.dat upx behavioral2/memory/1920-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 18 pastebin.com -
Program crash 20 IoCs
pid pid_target Process procid_target 2848 1920 WerFault.exe 85 2036 1920 WerFault.exe 85 4252 1920 WerFault.exe 85 396 1920 WerFault.exe 85 5000 1920 WerFault.exe 85 3488 1920 WerFault.exe 85 4320 1920 WerFault.exe 85 4844 1920 WerFault.exe 85 4376 1920 WerFault.exe 85 4712 1920 WerFault.exe 85 3924 1920 WerFault.exe 85 4448 1920 WerFault.exe 85 1736 1920 WerFault.exe 85 4304 1920 WerFault.exe 85 2936 1920 WerFault.exe 85 4340 1920 WerFault.exe 85 1688 1920 WerFault.exe 85 1980 1920 WerFault.exe 85 5072 1920 WerFault.exe 85 2284 1920 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1580 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1580 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1920 1580 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 85 PID 1580 wrote to memory of 1920 1580 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 85 PID 1580 wrote to memory of 1920 1580 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 85 PID 1920 wrote to memory of 2700 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 86 PID 1920 wrote to memory of 2700 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 86 PID 1920 wrote to memory of 2700 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 86 PID 1920 wrote to memory of 3552 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 88 PID 1920 wrote to memory of 3552 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 88 PID 1920 wrote to memory of 3552 1920 69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe 88 PID 3552 wrote to memory of 1272 3552 cmd.exe 90 PID 3552 wrote to memory of 1272 3552 cmd.exe 90 PID 3552 wrote to memory of 1272 3552 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\69bb96ddc8f289d60c0e8d42a18aab32_JaffaCakes118.exe" /TN CPAkKnXcaaad /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN CPAkKnXcaaad > C:\Users\Admin\AppData\Local\Temp\TTPn06N.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN CPAkKnXcaaad4⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 6003⤵
- Program crash
PID:2848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 6323⤵
- Program crash
PID:2036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 7163⤵
- Program crash
PID:4252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 7243⤵
- Program crash
PID:396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 6363⤵
- Program crash
PID:5000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 7803⤵
- Program crash
PID:3488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 14763⤵
- Program crash
PID:4320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 15363⤵
- Program crash
PID:4844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 17483⤵
- Program crash
PID:4376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 17083⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 14643⤵
- Program crash
PID:3924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 17723⤵
- Program crash
PID:4448
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 15443⤵
- Program crash
PID:1736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 15763⤵
- Program crash
PID:4304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 16003⤵
- Program crash
PID:2936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 15123⤵
- Program crash
PID:4340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 18363⤵
- Program crash
PID:1688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 18443⤵
- Program crash
PID:1980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 16043⤵
- Program crash
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 6283⤵
- Program crash
PID:2284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1920 -ip 19201⤵PID:4028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1920 -ip 19201⤵PID:1752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1920 -ip 19201⤵PID:2552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1920 -ip 19201⤵PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1920 -ip 19201⤵PID:3984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1920 -ip 19201⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1920 -ip 19201⤵PID:1524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 19201⤵PID:1132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1920 -ip 19201⤵PID:788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1920 -ip 19201⤵PID:4460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1920 -ip 19201⤵PID:1776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1920 -ip 19201⤵PID:728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1920 -ip 19201⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1920 -ip 19201⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1920 -ip 19201⤵PID:3256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1920 -ip 19201⤵PID:5016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1920 -ip 19201⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1920 -ip 19201⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1920 -ip 19201⤵PID:2320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1920 -ip 19201⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a63ae68b02b28aa4ea6fdf47ecf5d178
SHA10733615e296e867bc56cd34a6c419a375f919e48
SHA25621ed67798212ae1c39703eb21dc8c6e785afcf3ed9606ff6b63572cc3c7644dd
SHA51262cc18c855c627394e0a96d86ffc740e3e282a235e4e9dabda71d2b45a96ca778fecd2a90c5aea1b780e72bb35f4b12ebcb64b05bbeadcabb63aacb588962117
-
Filesize
1KB
MD51a438230badf6a67664ba70b870ac77c
SHA128486c74b51f5af70c921f0cd9e133f46839072e
SHA256e096eeadb865ac8fa0ef02713b37127c55124c06a472a69b3a0158e18284db7a
SHA51251c7d25a700327da4ddb94f71f6618180a78493ff42c4da54f75ad483817cad1bb17f34828f97305bea56be895f03f2152a7edd4fddf60c6e10adb6c557e2f35