Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
16fae566b41...18.exe
windows7-x64
76fae566b41...18.exe
windows10-2004-x64
7mcffplg.dll
windows7-x64
3mcffplg.dll
windows10-2004-x64
3saffplg.js
windows7-x64
3saffplg.js
windows10-2004-x64
3mcieplg.dll
windows7-x64
6mcieplg.dll
windows10-2004-x64
3x64/mcieplg.dll
windows7-x64
7x64/mcieplg.dll
windows10-2004-x64
1$TEMP/$_0_...st.exe
windows7-x64
$TEMP/$_0_...st.exe
windows10-2004-x64
$TEMP/$_0_...ui.dll
windows7-x64
1$TEMP/$_0_...ui.dll
windows10-2004-x64
1$TEMP/$_0_...ns.dll
windows7-x64
1$TEMP/$_0_...ns.dll
windows10-2004-x64
1mcsacins.dll
windows7-x64
3mcsacins.dll
windows10-2004-x64
3saInst.exe
windows7-x64
7saInst.exe
windows10-2004-x64
7$TEMP/$_0_...st.exe
windows7-x64
$TEMP/$_0_...st.exe
windows10-2004-x64
mcbrwctl.dll
windows7-x64
3mcbrwctl.dll
windows10-2004-x64
3mcsacore.exe
windows7-x64
3mcsacore.exe
windows10-2004-x64
3mcsacoreps.dll
windows7-x64
3mcsacoreps.dll
windows10-2004-x64
3saupkeep.dll
windows7-x64
3saupkeep.dll
windows10-2004-x64
3uninstall.exe
windows7-x64
3uninstall.exe
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
mcffplg.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
mcffplg.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
saffplg.js
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
saffplg.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
mcieplg.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
mcieplg.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
x64/mcieplg.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
x64/mcieplg.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$TEMP/$_0_ /mcinst.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$TEMP/$_0_ /mcinst.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
$TEMP/$_0_ /mcplgui.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
$TEMP/$_0_ /mcplgui.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
$TEMP/$_0_ /mcsacins.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
$TEMP/$_0_ /mcsacins.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
mcsacins.dll
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
mcsacins.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
saInst.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
saInst.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
$TEMP/$_0_ /saInst.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$TEMP/$_0_ /saInst.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
mcbrwctl.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
mcbrwctl.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
mcsacore.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
mcsacore.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
mcsacoreps.dll
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
mcsacoreps.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
saupkeep.dll
Resource
win7-20240705-en
Behavioral task
behavioral30
Sample
saupkeep.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
uninstall.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
uninstall.exe
Resource
win10v2004-20240709-en
General
-
Target
6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe
-
Size
5.7MB
-
MD5
6fae566b41f9c53f1f4d137ff241aac6
-
SHA1
85203ff23317aa2df37ebbad2b7e08f9eef311b4
-
SHA256
eac446bbf4f95d4780ab8573d3775f98de6a1efe455b39f087eb16655395df50
-
SHA512
3a870f36e8384e72f17fc5504e4a46786fb0b0dcdde019f8764e0dfccf665e59fc319dda7c7d52a943de97bd2d9262a561cf5c33bf16c1cad84ae5c708bb71d3
-
SSDEEP
98304:/3af73bE2Q1V/37Gn4i0Y4bhuApBTR8pmiuflVmR6hqfBBMytuAsw/j1zd:/3i3bg/3CnL0/d8IQ6h6uccMjBd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\International\Geo\Nation saInst.exe -
Executes dropped EXE 1 IoCs
pid Process 2308 saInst.exe -
Loads dropped DLL 9 IoCs
pid Process 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe 2308 saInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language saInst.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2308 saInst.exe 2308 saInst.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31 PID 1700 wrote to memory of 2308 1700 6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\saInst.exe"C:\Users\Admin\AppData\Local\Temp\SiteAdvisor\saInst.exe" "C:\Users\Admin\AppData\Local\Temp\6fae566b41f9c53f1f4d137ff241aac6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166KB
MD582a1a97820f29ff3cb3eb7eb9ecf86a9
SHA180e364bf127a24f170406a1cd7fa86eb597a9081
SHA2567a45f37ebff001c94c2530e48b2b3c0697d1bac8fe30d89391a0a6cde2c1cec5
SHA512a74c1aa9e90d0f8d0d6eee1936068868ce60f794a31f58988759eef3ece6f79fd0787deee8c86c8e88663d51202c5e23aba2af4eddfef5307dd128bb5c5e0a3f
-
Filesize
14KB
MD56ec43c7aad960d572b30effeef009b7c
SHA17c09bf4ee91bf53ee07358fa7a2e2873d6dab86b
SHA2568ad8e02cf298fcc5210affd91b0cb6bd070180f5f0d78295b953bbf81ea8bc21
SHA512259f9f7ef35e504775dd788ff0de6762a1372f1940a96c4c99073b5e7423763e7054fe8b76e6d1a393b699a19b47cca8bd03ceeecd5e49f22c6c441dbe6794ca
-
Filesize
2.1MB
MD5f520939afcd7661e6082254a4bba0fae
SHA1bc173d48262ba4f6038d85e479f65b0a619c0ecb
SHA256df3319cc0563ba3c17707d95143ea870284af8898390b9880efb43e10546b3f5
SHA5123c4bd5b76daa4e4ab70aaea389a6301a8e1851379b6b9901d30cc9ac4067fcadd4614331e2d8401124094f4146c4d4d17c5c55c6fe13ec400af59b05ae048874
-
Filesize
2.7MB
MD530b8223465b5596563d21d7bc84c6bbc
SHA103f1dd7bccca087c2d714755ee8ce7a049c03096
SHA25696caba748cefba92875c3d00d033838cc92480052a4a22f6a451fb252fba18be
SHA512caff833a581cc2d03af663fc8cc8a4610333c981c8a2eee53c6e4663c0bb5dc6c993714e69ea56569113d4bcc015420448382c44e9b40d8e025f167ab5a14e1b
-
Filesize
122KB
MD5f20017a9a655ca3604313cd982ffbce3
SHA1ea40699e63a79ad12aad962bd6d0ad38b3abf664
SHA2560b4be27c06c0a1a11a49ca9cc7b04b26a9b88dc80cfd9e38ae6cbe2a9398b3ba
SHA512a1307150f2df5dfa93b7b62f7f25ec6ea7a8dbea8a9fe62a64703a4f05f8e928a9859a7a9cc2d48280e428cb66067175488fdd2eac5cfd5e18d668b08574829d