Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 09:10
Static task
static1
Behavioral task
behavioral1
Sample
6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe
-
Size
131KB
-
MD5
6ef50ed3896a94e948c0f54ebfafb097
-
SHA1
9f2e965528efb8b5647c3c9f5cd0d2ea4b59f87e
-
SHA256
03ab9ed160437fb70245ff625e47325695395e23a6726e80b81d1025e3cd327d
-
SHA512
fbdc883287037d08b072f21ff7d33deabbbcbe1adeaa9a77c5a172338ba70f38ff6d9ba6564e27f8c7ddc423e15d016f60c93870d74242ea7772468ce85f4b56
-
SSDEEP
3072:byvykMmWULgCdTZQpoGww24PRkoHGDBTDVbnD:bXkMULgCdTqpoGTjRk7D
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gger.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2824 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation gger.exe -
Executes dropped EXE 1 IoCs
pid Process 2224 gger.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stre = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gger.exe\" @.." gger.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stre = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gger.exe\"" gger.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gger.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gger.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2224 gger.exe 2224 gger.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2224 gger.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 808 wrote to memory of 2224 808 6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe 86 PID 808 wrote to memory of 2224 808 6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe 86 PID 2224 wrote to memory of 2824 2224 gger.exe 88 PID 2224 wrote to memory of 2824 2224 gger.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gger.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ef50ed3896a94e948c0f54ebfafb097_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\gger.exe"C:\Users\Admin\AppData\Local\Temp\gger.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2224 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\gger.exe" "gger.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD56ef50ed3896a94e948c0f54ebfafb097
SHA19f2e965528efb8b5647c3c9f5cd0d2ea4b59f87e
SHA25603ab9ed160437fb70245ff625e47325695395e23a6726e80b81d1025e3cd327d
SHA512fbdc883287037d08b072f21ff7d33deabbbcbe1adeaa9a77c5a172338ba70f38ff6d9ba6564e27f8c7ddc423e15d016f60c93870d74242ea7772468ce85f4b56