Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe
-
Size
65KB
-
MD5
772952cfacf381892590ce0ccc4bb384
-
SHA1
734e0306c531e9ffbf22b60e7c744e04f65fa79f
-
SHA256
0b36f9990b83338a823f030e12fcd9a866a2cfcb434150d3e59c708a80a88102
-
SHA512
1bc8e5145a9c5fde67c5df7289b32fee5720b5af7007c3fd5c3287c74c4754812552c2b6cef2ce77582233b8a8a2312975acc5c7687b0694cdec528456912d21
-
SSDEEP
768:gqipbWxcGn+dNHyIztJT2W/V4EaRS8ZGMhpyNKnoBXzHpBRjG8CkFMRKVytHmDbX:6ScCqrztJi2icNKnoBX7RylHmH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation pwrshplugin.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation netprofm.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation ngccredprov.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation wups.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation sensapi.exe Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation kbdcr.exe -
Executes dropped EXE 6 IoCs
pid Process 2572 netprofm.exe 4492 ngccredprov.exe 3320 wups.exe 2756 sensapi.exe 2420 kbdcr.exe 3948 pwrshplugin.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\SysWOW64\netprofm.exe 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe File created C:\Windows\SysWOW64\sensapi.exe wups.exe File opened for modification C:\Windows\SysWOW64\ngccredprov.exe netprofm.exe File created C:\Windows\SysWOW64\kbdcr.exe sensapi.exe File opened for modification C:\Windows\SysWOW64\kbdcr.exe sensapi.exe File created C:\Windows\SysWOW64\pwrshplugin.exe kbdcr.exe File opened for modification C:\Windows\SysWOW64\windows.storage.applicationdata.exe pwrshplugin.exe File created C:\Windows\SysWOW64\ngccredprov.exe netprofm.exe File opened for modification C:\Windows\SysWOW64\sensapi.exe wups.exe File opened for modification C:\Windows\SysWOW64\pwrshplugin.exe kbdcr.exe File created C:\Windows\SysWOW64\windows.storage.applicationdata.exe pwrshplugin.exe File opened for modification C:\Windows\SysWOW64\netprofm.exe 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe File created C:\Windows\SysWOW64\wups.exe ngccredprov.exe File opened for modification C:\Windows\SysWOW64\wups.exe ngccredprov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5076 4972 WerFault.exe 83 1748 3948 WerFault.exe 114 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwrshplugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wups.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sensapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngccredprov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kbdcr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4972 wrote to memory of 2572 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 92 PID 4972 wrote to memory of 2572 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 92 PID 4972 wrote to memory of 2572 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 92 PID 4972 wrote to memory of 2368 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 94 PID 4972 wrote to memory of 2368 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 94 PID 4972 wrote to memory of 2368 4972 772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe 94 PID 2572 wrote to memory of 4492 2572 netprofm.exe 100 PID 2572 wrote to memory of 4492 2572 netprofm.exe 100 PID 2572 wrote to memory of 4492 2572 netprofm.exe 100 PID 2572 wrote to memory of 4372 2572 netprofm.exe 101 PID 2572 wrote to memory of 4372 2572 netprofm.exe 101 PID 2572 wrote to memory of 4372 2572 netprofm.exe 101 PID 4492 wrote to memory of 3320 4492 ngccredprov.exe 105 PID 4492 wrote to memory of 3320 4492 ngccredprov.exe 105 PID 4492 wrote to memory of 3320 4492 ngccredprov.exe 105 PID 4492 wrote to memory of 4752 4492 ngccredprov.exe 106 PID 4492 wrote to memory of 4752 4492 ngccredprov.exe 106 PID 4492 wrote to memory of 4752 4492 ngccredprov.exe 106 PID 3320 wrote to memory of 2756 3320 wups.exe 108 PID 3320 wrote to memory of 2756 3320 wups.exe 108 PID 3320 wrote to memory of 2756 3320 wups.exe 108 PID 3320 wrote to memory of 4564 3320 wups.exe 109 PID 3320 wrote to memory of 4564 3320 wups.exe 109 PID 3320 wrote to memory of 4564 3320 wups.exe 109 PID 2756 wrote to memory of 2420 2756 sensapi.exe 111 PID 2756 wrote to memory of 2420 2756 sensapi.exe 111 PID 2756 wrote to memory of 2420 2756 sensapi.exe 111 PID 2756 wrote to memory of 1532 2756 sensapi.exe 112 PID 2756 wrote to memory of 1532 2756 sensapi.exe 112 PID 2756 wrote to memory of 1532 2756 sensapi.exe 112 PID 2420 wrote to memory of 3948 2420 kbdcr.exe 114 PID 2420 wrote to memory of 3948 2420 kbdcr.exe 114 PID 2420 wrote to memory of 3948 2420 kbdcr.exe 114 PID 2420 wrote to memory of 2284 2420 kbdcr.exe 115 PID 2420 wrote to memory of 2284 2420 kbdcr.exe 115 PID 2420 wrote to memory of 2284 2420 kbdcr.exe 115 PID 3948 wrote to memory of 824 3948 pwrshplugin.exe 120 PID 3948 wrote to memory of 824 3948 pwrshplugin.exe 120 PID 3948 wrote to memory of 824 3948 pwrshplugin.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\netprofm.exe"C:\Windows\system32\netprofm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\ngccredprov.exe"C:\Windows\system32\ngccredprov.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\wups.exe"C:\Windows\system32\wups.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\sensapi.exe"C:\Windows\system32\sensapi.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\kbdcr.exe"C:\Windows\system32\kbdcr.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\pwrshplugin.exe"C:\Windows\system32\pwrshplugin.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\pwrshplugin.exe"8⤵
- System Location Discovery: System Language Discovery
PID:824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 17768⤵
- Program crash
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\kbdcr.exe"7⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\sensapi.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wups.exe"5⤵
- System Location Discovery: System Language Discovery
PID:4564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\ngccredprov.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\netprofm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\772952cfacf381892590ce0ccc4bb384_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 16762⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4972 -ip 49721⤵PID:3912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3948 -ip 39481⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD56b12079905353565bfe29a749eb7716e
SHA1f9839a23e13d8200e57cdb9f6c1e94fb844a4c49
SHA25620c42d14a0e73ae3808fc1616886350c14613bf328e352e1030ac68e323af0b7
SHA512074c2bdf3f4228b16decf1226fd01e4cb3a074cd49848f0f9304f1989a1c31f15faec7a9e4b7c8eff617ae50717b14873fc88c6309c5f739df8352521bdb2ab1
-
Filesize
65KB
MD575e16b2c31eece91aad5fa8e8286fed6
SHA1d6b52289d8b27618638422869f5428b1c65e4d46
SHA256b993d6aff29d76684dad23e4b7547bbb7ecb347d09644ce0ca27e05d682b1393
SHA5122c62c380ab057edb5ade68b7cda8680a68be1954e3a8fb124d10d5a16c1bdde31b54856ad866fe8aa005bb835ea2da9799d08d65113f68f6b9e6631dfe1539ab
-
Filesize
65KB
MD53cf4fb568b02a5cff86edd5f4315b573
SHA1caee89129acbbb67ad46150048b2917c74403d60
SHA2567242c1db29fa843c3127938d78515e92a26d03cb5aed6e9c737114b5b3bbca15
SHA5124bb19783918f9ecb3691dbafaae026cff98580074b11065a2e5645f834a772123234fc8139ae452d3cdcd7b36578801f0e8e2d72aaf1f1599c68df62dc2e751e
-
Filesize
65KB
MD5c1bd56c24f249b3f3bda68706cb39d48
SHA1b06682d73bd38cb719efbdb27e432fb0f58409c7
SHA256dacd28a436dd235fb15b4be7628e4fdd0f95210c13b107fd53b865b403a63562
SHA51276b96677e4501534363c52567aa62feea420f068e40f11e9a4c5912d2f0cd20d7f3a40171de3da0ca834cbe30aa6ae495a83fa09046d1091f1eb04815eceba01
-
Filesize
65KB
MD54917a344edba82df6579de1e409c9ef6
SHA15ce1b33d04c1117b3922e14d8370a8c2a2aa2607
SHA2564741b75ebb637e5ef67f2b42d25ac56de8c86c67c63a2df5ed76b482bba77381
SHA5128d63e669f2ca811136dfe17740cc2a3451dc1759d2a00779e915a3b11007614ce3e9067d840cbf37dafbe593b33c05e71f9ee696fb26f492aa613b211e8f764d
-
Filesize
65KB
MD50e954170b7d0581a7f47ed63b39d6e3c
SHA1530a653beed24a03fff8896d57f92626f73edd1d
SHA25696444036c05f993fee057661ea0faedd07a8cc6f905ae43a62e7bb0551c543b7
SHA512d57ea7a8c7b476a607155c364f67b6ed1b731d7f4e419c2ae32545062ea4f562f0170499973b795d03463b1cd4a7d65c088f9d728d3cc8689bb242b06c7c815b