Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 17:24
Static task
static1
Behavioral task
behavioral1
Sample
708abe50048782def5929bc281362498_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
708abe50048782def5929bc281362498_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
708abe50048782def5929bc281362498_JaffaCakes118.exe
-
Size
77KB
-
MD5
708abe50048782def5929bc281362498
-
SHA1
a4bd6a219d317efe3274d84a3f5ea40b84b4ace1
-
SHA256
3f4f2cf6a2844efece2286897dd5e8feda908b6377f8d6bb25bd8fac84e13e00
-
SHA512
4e13c6ddfb213486efac01e1c14a1ece20eda2552c0af02a81ce452231d0089bab5c086509593e70c49cbd69d95fe82d8aadce5f8c6817fd8c48c940ad9d427c
-
SSDEEP
1536:8ujlHwdwzY9FPcVH5P4Zq/Dnr47HrHaL:txm+H5PR/DU7eL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 1492 Rundll32.exe 2372 Rundll32.exe 2372 Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\imppngaa.dll 708abe50048782def5929bc281362498_JaffaCakes118.exe File created C:\Windows\SysWOW64\ffcrngaa.dll 708abe50048782def5929bc281362498_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\RAV\CDriver.sys Rundll32.exe File opened for modification C:\Program Files\RAV\CDriver.Inf Rundll32.exe -
Launches sc.exe 23 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1636 sc.exe 4164 sc.exe 492 sc.exe 3056 sc.exe 32 sc.exe 792 sc.exe 948 sc.exe 1764 sc.exe 1652 sc.exe 4508 sc.exe 4024 sc.exe 2744 sc.exe 3688 sc.exe 3144 sc.exe 436 sc.exe 3180 sc.exe 1104 sc.exe 4628 sc.exe 2732 sc.exe 2740 sc.exe 2884 sc.exe 684 sc.exe 3840 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 708abe50048782def5929bc281362498_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 Rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc Rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1492 Rundll32.exe 1492 Rundll32.exe 1492 Rundll32.exe 1492 Rundll32.exe 1492 Rundll32.exe 1492 Rundll32.exe 2372 Rundll32.exe 2372 Rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1520 708abe50048782def5929bc281362498_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1492 1520 708abe50048782def5929bc281362498_JaffaCakes118.exe 84 PID 1520 wrote to memory of 1492 1520 708abe50048782def5929bc281362498_JaffaCakes118.exe 84 PID 1520 wrote to memory of 1492 1520 708abe50048782def5929bc281362498_JaffaCakes118.exe 84 PID 1492 wrote to memory of 3180 1492 Rundll32.exe 85 PID 1492 wrote to memory of 3180 1492 Rundll32.exe 85 PID 1492 wrote to memory of 3180 1492 Rundll32.exe 85 PID 1492 wrote to memory of 4628 1492 Rundll32.exe 86 PID 1492 wrote to memory of 4628 1492 Rundll32.exe 86 PID 1492 wrote to memory of 4628 1492 Rundll32.exe 86 PID 1492 wrote to memory of 1104 1492 Rundll32.exe 87 PID 1492 wrote to memory of 1104 1492 Rundll32.exe 87 PID 1492 wrote to memory of 1104 1492 Rundll32.exe 87 PID 1492 wrote to memory of 948 1492 Rundll32.exe 88 PID 1492 wrote to memory of 948 1492 Rundll32.exe 88 PID 1492 wrote to memory of 948 1492 Rundll32.exe 88 PID 1492 wrote to memory of 2732 1492 Rundll32.exe 89 PID 1492 wrote to memory of 2732 1492 Rundll32.exe 89 PID 1492 wrote to memory of 2732 1492 Rundll32.exe 89 PID 1492 wrote to memory of 1636 1492 Rundll32.exe 90 PID 1492 wrote to memory of 1636 1492 Rundll32.exe 90 PID 1492 wrote to memory of 1636 1492 Rundll32.exe 90 PID 1492 wrote to memory of 1764 1492 Rundll32.exe 91 PID 1492 wrote to memory of 1764 1492 Rundll32.exe 91 PID 1492 wrote to memory of 1764 1492 Rundll32.exe 91 PID 1492 wrote to memory of 32 1492 Rundll32.exe 92 PID 1492 wrote to memory of 32 1492 Rundll32.exe 92 PID 1492 wrote to memory of 32 1492 Rundll32.exe 92 PID 1492 wrote to memory of 4024 1492 Rundll32.exe 93 PID 1492 wrote to memory of 4024 1492 Rundll32.exe 93 PID 1492 wrote to memory of 4024 1492 Rundll32.exe 93 PID 1492 wrote to memory of 4508 1492 Rundll32.exe 94 PID 1492 wrote to memory of 4508 1492 Rundll32.exe 94 PID 1492 wrote to memory of 4508 1492 Rundll32.exe 94 PID 1492 wrote to memory of 2740 1492 Rundll32.exe 95 PID 1492 wrote to memory of 2740 1492 Rundll32.exe 95 PID 1492 wrote to memory of 2740 1492 Rundll32.exe 95 PID 1492 wrote to memory of 3056 1492 Rundll32.exe 96 PID 1492 wrote to memory of 3056 1492 Rundll32.exe 96 PID 1492 wrote to memory of 3056 1492 Rundll32.exe 96 PID 1492 wrote to memory of 492 1492 Rundll32.exe 97 PID 1492 wrote to memory of 492 1492 Rundll32.exe 97 PID 1492 wrote to memory of 492 1492 Rundll32.exe 97 PID 1492 wrote to memory of 1652 1492 Rundll32.exe 98 PID 1492 wrote to memory of 1652 1492 Rundll32.exe 98 PID 1492 wrote to memory of 1652 1492 Rundll32.exe 98 PID 1492 wrote to memory of 4164 1492 Rundll32.exe 99 PID 1492 wrote to memory of 4164 1492 Rundll32.exe 99 PID 1492 wrote to memory of 4164 1492 Rundll32.exe 99 PID 1492 wrote to memory of 436 1492 Rundll32.exe 101 PID 1492 wrote to memory of 436 1492 Rundll32.exe 101 PID 1492 wrote to memory of 436 1492 Rundll32.exe 101 PID 1492 wrote to memory of 2744 1492 Rundll32.exe 102 PID 1492 wrote to memory of 2744 1492 Rundll32.exe 102 PID 1492 wrote to memory of 2744 1492 Rundll32.exe 102 PID 1492 wrote to memory of 3840 1492 Rundll32.exe 103 PID 1492 wrote to memory of 3840 1492 Rundll32.exe 103 PID 1492 wrote to memory of 3840 1492 Rundll32.exe 103 PID 1492 wrote to memory of 3144 1492 Rundll32.exe 106 PID 1492 wrote to memory of 3144 1492 Rundll32.exe 106 PID 1492 wrote to memory of 3144 1492 Rundll32.exe 106 PID 1492 wrote to memory of 3688 1492 Rundll32.exe 107 PID 1492 wrote to memory of 3688 1492 Rundll32.exe 107 PID 1492 wrote to memory of 3688 1492 Rundll32.exe 107 PID 1492 wrote to memory of 684 1492 Rundll32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\708abe50048782def5929bc281362498_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\imppngaa.dll Execute2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\sc.exesc stop ZhuDongFangYu3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3180
-
-
C:\Windows\SysWOW64\sc.exesc delete ZhuDongFangYu3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\SysWOW64\sc.exesc stop 360rp3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Windows\SysWOW64\sc.exesc delete 360rp3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:948
-
-
C:\Windows\SysWOW64\sc.exesc stop RsRavMon3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\sc.exesc delete RsRavMon3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Windows\SysWOW64\sc.exesc stop McNASvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\sc.exesc delete McNASvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:32
-
-
C:\Windows\SysWOW64\sc.exesc stop MpfService3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4024
-
-
C:\Windows\SysWOW64\sc.exesc delete MpfService3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4508
-
-
C:\Windows\SysWOW64\sc.exesc stop McProxy3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Windows\SysWOW64\sc.exesc delete McProxy3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3056
-
-
C:\Windows\SysWOW64\sc.exesc stop McShield3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:492
-
-
C:\Windows\SysWOW64\sc.exesc delete McShield3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\SysWOW64\sc.exesc stop McODS3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Windows\SysWOW64\sc.exesc delete McODS3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:436
-
-
C:\Windows\SysWOW64\sc.exesc stop mcmscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\sc.exesc delete mcmscsvc3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3840
-
-
C:\Windows\SysWOW64\sc.exesc stop McSysmon3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3144
-
-
C:\Windows\SysWOW64\sc.exesc delete McSysmon3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3688
-
-
C:\Windows\SysWOW64\sc.exesc stop ekrn3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:684
-
-
C:\Windows\SysWOW64\sc.exesc delete ekrn3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:792
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\ffcrngaa.dll Execute2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2372
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
Filesize
8KB
MD5d49e24aaddb6de1d7e04f353197fe210
SHA1439cd17010d7af7acfdae45e83cea09f338a67dc
SHA256660bd04c6abdfd1b385abf4a0c79f9eef1007aa2fcd6f7e53b31a3145a062045
SHA5124079b2afdfd2076ce6931640de70617fc27bcf26d09846de80ff238c312504959a117761f7ccb52ad38914d2392bbac0ac7d3bb8981d55e8d663e00e492a5146
-
Filesize
26KB
MD5d4e567f4e233ab037c7dc12c924ee5d6
SHA1c9af7da5c7bae85e248f1f80db5d82dc2f3af6d3
SHA256e59a90649bf2c03712aa1cf08c93b50a683e05802465672f2f351765e3fd1556
SHA512ce6e35aa54d428a71746f6a4c38b78273208e0658e1377384c3d5e330c80780dd6770a85dcbf49fc4c08b4f8fbf2933b66b3daa2698c939381ffeb83d9ef2883