Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 10:34
Behavioral task
behavioral1
Sample
6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe
-
Size
77KB
-
MD5
6f38ca18877da4532b7ad3b69349a1d4
-
SHA1
793fa2dc9a9d108f215be45d39533c95ff7661b6
-
SHA256
edce7ba96dd0f05c060f9085cf2735979a8d026fe0ceef484af9b36b356e72ce
-
SHA512
fb1d353672dd794bc4d30dd739a7bd56a871e56c30a1e4b458562acd0c8a5d0404b43b80a403fd76f4d9b639848a9c79c46f049c124314b678457021fc4f8491
-
SSDEEP
1536:/QwOc0tE2Lfa9j336w5PQeTOJXOi4WEWod+58WUOW+RGaCCUn4Qy:/FsxfyHdh7TOdOi4JWod+58UW+RGaC/E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3456 servar.exe -
resource yara_rule behavioral2/memory/3508-1-0x0000000000400000-0x0000000001A97000-memory.dmp vmprotect behavioral2/memory/3508-17-0x0000000000400000-0x0000000001A97000-memory.dmp vmprotect -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\servar.exe 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe File created C:\windows\Comres.dll 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 412 3456 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language servar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe Token: SeRestorePrivilege 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3508 wrote to memory of 3456 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 87 PID 3508 wrote to memory of 3456 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 87 PID 3508 wrote to memory of 3456 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 87 PID 3508 wrote to memory of 1192 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 92 PID 3508 wrote to memory of 1192 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 92 PID 3508 wrote to memory of 1192 3508 6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f38ca18877da4532b7ad3b69349a1d4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\windows\servar.exe"C:\windows\servar.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 3683⤵
- Program crash
PID:412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat2⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3456 -ip 34561⤵PID:4520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5ebe7a5976a5116504a7658df92bc3e85
SHA13dc9b4e647ab7739d1b5715ff8c7b04556d2a970
SHA25609433041453057358f16a486db484f230ae4ff6909cd464d7d105647d289d87b
SHA5122def3cf6f9ecaeb2ece1d2fa1d76ed8321db5c004c0a673c8563b845178c53eb42b3b8d6eac6a67f19ce4c87f104a4d993aa8b2d1eaa58e842e883b340f2aa73
-
Filesize
2KB
MD5718b255b19ac24971a1c5de3a3dce33c
SHA1958044b7075e31c765fb9d85c5fdaf79bb4b7441
SHA2560e8eb42a5a28c2892bf90c24027a31e3574e9ab2198228594deb1016d2e03678
SHA512ef27781fd0b56b0fd75c1824b17cf6edd6713069dc88638bc0914e2267e883352d014bde9cf407e6ec32d76000d0a7e6fe11be02f31054449e74774785f5402d
-
Filesize
22.4MB
MD5f85bf6b63d6900fe957ec3de292963fe
SHA1014504f74bfa4ceb0fee528e9f8ebfaef3ba5906
SHA2568991cdf1bdfb0fd59441543f03b5e0d8f4951c9ea84737f18d0423a67a2d731d
SHA512ca3ca75368b179e4b05356d2e355714e8e04ddd4110241d8f62f9b52a7972322a051b32d3cfa145af7debb49c1347c5ca8c33daeed46e362979e6ba3d2b5bc86