Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe
-
Size
64KB
-
MD5
709dca10085dfff664bd1bc0185ac51e
-
SHA1
ff9433a92b4572cd246a641861acf3b628e6511a
-
SHA256
4251c7eccea38b856cdc5976d3f9fcd0264e8c48256ad0b7d49aeda2ed0aa735
-
SHA512
a07869c307857e6f54273a6944ae36f020f4c904a952526385e806ae8324603414f3a5b18a4982cea497a28c0188941e34be98794027b3924998ddd274835f4c
-
SSDEEP
1536:Nxj4xoSW3p1PJgK/b2ydJa6mQ3TLubZ+338lWTFmsWTimsWTP:njzVrPeK6ydJfwTWTFLWTiLWTP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1816 Au_.exe -
Executes dropped EXE 2 IoCs
pid Process 4364 uninst.exe 1816 Au_.exe -
Loads dropped DLL 7 IoCs
pid Process 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\flash.scf 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Messenger\Messenger.kbb 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe File created C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe cscript.exe File created C:\Program Files (x86)\Common Files\System\ado\myie.vbs 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe File created C:\Program Files (x86)\Messenger\Ntype.exe cscript.exe File created C:\Program Files (x86)\lnkfiles\17.txt cscript.exe File created C:\Program Files (x86)\lnkfiles\25.txt cscript.exe File created C:\Program Files (x86)\Messenger\taodwq.ico 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Internet Explorer\MUI\iexplore.exe cscript.exe File created C:\Program Files (x86)\lnkfiles\15.txt cscript.exe File created C:\Program Files (x86)\lnkfiles\27.txt cscript.exe File created C:\Program Files (x86)\lnkfiles\19.txt cscript.exe File created C:\Program Files (x86)\lnkfiles\21.txt cscript.exe File created C:\Program Files (x86)\lnkfiles\23.txt cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023459-59.dat nsis_installer_2 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kbb 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kbb\ = "JSEFile" 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3976 wrote to memory of 3684 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 85 PID 3976 wrote to memory of 3684 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 85 PID 3976 wrote to memory of 3684 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 85 PID 3976 wrote to memory of 5076 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 88 PID 3976 wrote to memory of 5076 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 88 PID 3976 wrote to memory of 5076 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 88 PID 3976 wrote to memory of 4364 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 97 PID 3976 wrote to memory of 4364 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 97 PID 3976 wrote to memory of 4364 3976 709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe 97 PID 4364 wrote to memory of 1816 4364 uninst.exe 98 PID 4364 wrote to memory of 1816 4364 uninst.exe 98 PID 4364 wrote to memory of 1816 4364 uninst.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\709dca10085dfff664bd1bc0185ac51e_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\Common Files\System\ado\myie.vbs"2⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files (x86)\Messenger\messenger.kbb"2⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD521626dc339a5b9b9fd192112f09c8bec
SHA1d16cbdb26343739c802ce5726ff592a1ace1f260
SHA25600602e5a43d451ce9defd2017bd0f90754c72bf2859691a8a4f2ebc9eda375fe
SHA5129e8b56b5ef3dc27c5cb641b5f257e26eed707c5d1ba7862a4269a468e779019052cfcf874a80bfb665cbf1120f23c4aad9720e582168d713f414be6c6dfde8d6
-
Filesize
8KB
MD5ad8242be7222f2bb6f2722c9fc960c88
SHA12aeed752492046451d39ad06896dd30fb32831ec
SHA2563bf64cd838d63e20d1609db5ef4151155a9c70396947e07d48ae12d7e3e64c6b
SHA512a7f29cadf2a06e3bd140df4fca10922ed61b96bb9a3c701cbc003b07455198714b56b33592d3a4657038f9c565dfe4bbe3d2661809b9019b0af6e3c0b40c2cec
-
Filesize
11KB
MD55d186c26b28c0dd14e6eb78a755a2d1f
SHA1e8f50ebf398da3bfa1242149ee205a7ad9935e66
SHA2567f05c7d2408ec4b69287bbde91d18054075a448f11ffda4ba17d696e3b2d09e7
SHA512c3453968867ce671542a69eb9881292f6f5ccf3a009cc55728905009f450e5711b2804c8b96ec39850d105b1819ff9faec6e8f2eb8f8b8bd625fdef817c84153
-
Filesize
6KB
MD53da7002fc1e78b7e63bcb56ce3319f82
SHA18ff3e1680f4ccb21b8ccbc4701080a386cf83976
SHA2568dd31e9c8915424c28261d6138806c31443ad214f9381d20e490a13e7ffc91e4
SHA512bf6f2afce1816a4523fef616bc441cd9062bd4e3a2162772a8650b288c220af49cf7a3128f3580112b3370dafdce971c55a9febb784bded36402061ec371ff09
-
Filesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
Filesize
108B
MD530c28c9db586970ad3b63f87dd7815c0
SHA1a4fb676d131d8cd892aba101978b638d5812a03b
SHA2563dce023550a66235b16cf55a7fc8fdb7461e17d2a557b83a405e70a30b035e58
SHA512547eab6caadf1446256d43aade995c2c51864e8305273ae4a7d72efbe22727177009d23934a8e9670cd77f4d49a395e4531b9c2b705ef2dc5a98c7819e146e35
-
Filesize
35KB
MD53bca01d1d86de89554000fa3c1a131cd
SHA1c98d979fb08c9cc513bf725d61079ac984506c81
SHA2561afa3f1a880c3e82570c02ba26db4ab1ae076f8bb192a209b01d8ad5eead3c6d
SHA512db387184cd48b931c7ca4e50680f71005990ae2f0acbb3e7b7ed8d9639acd2a020a0b9d49af4f3c4961e71312d1f934e92dff976613269e7ac0869b744fe6c4f