Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2024, 23:50
Behavioral task
behavioral1
Sample
82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe
Resource
win10v2004-20240730-en
General
-
Target
82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe
-
Size
121KB
-
MD5
82394930e7babddd90b8eee3610e31e1
-
SHA1
1edd69f96c7ffcf818abb95aa5903a71bac60b12
-
SHA256
875b0094f5ed75e2c85bdce3c5d4e18116dc788ba156febf5f903072294e383b
-
SHA512
45082d41b76a2d3f8f2a6c99ecfec951087a0be69201a1bf2956b880c6393f071071fb2705ea9faf7df50c5574d6f4034ea5b64d6496ef4e79af856a464d039e
-
SSDEEP
1536:thivqRTLZQVgiVQXmxFsEtE890oiSSPjewOYlk15Ds+8yH2W3YtGVfBSBz12rCfH:/kie2Otg84SSPLOz8i2QY8Vfs7jz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 802A3.EXE Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 806KK.EXE Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 805A1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 2724 805A1.EXE 2912 802A3.EXE 2184 806KK.EXE 4484 WinHe802.exe 3980 WinHe806.exe 3332 WinHe805.exe -
resource yara_rule behavioral2/memory/3652-0-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3652-68-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WinHe805.exe 805A1.EXE File opened for modification C:\Windows\SysWOW64\WinHe806.exe 806KK.EXE File created C:\Windows\SysWOW64\WinHe805.exe WinHe805.exe File created C:\Windows\SysWOW64\WinHe805.exe 805A1.EXE File created C:\Windows\SysWOW64\WinHe802.exe 802A3.EXE File opened for modification C:\Windows\SysWOW64\WinHe802.exe 802A3.EXE File created C:\Windows\SysWOW64\WinHe806.exe 806KK.EXE File created C:\Windows\SysWOW64\WinHe802.exe WinHe802.exe File created C:\Windows\SysWOW64\WinHe806.exe WinHe806.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHe805.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 805A1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806KK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802A3.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHe802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHe806.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2912 802A3.EXE Token: SeIncBasePriorityPrivilege 4484 WinHe802.exe Token: SeIncBasePriorityPrivilege 3980 WinHe806.exe Token: SeIncBasePriorityPrivilege 2184 806KK.EXE Token: SeIncBasePriorityPrivilege 2724 805A1.EXE Token: SeIncBasePriorityPrivilege 3332 WinHe805.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2816 3652 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe 86 PID 3652 wrote to memory of 2816 3652 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe 86 PID 3652 wrote to memory of 2816 3652 82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe 86 PID 2816 wrote to memory of 2724 2816 WScript.exe 88 PID 2816 wrote to memory of 2724 2816 WScript.exe 88 PID 2816 wrote to memory of 2724 2816 WScript.exe 88 PID 2816 wrote to memory of 2912 2816 WScript.exe 89 PID 2816 wrote to memory of 2912 2816 WScript.exe 89 PID 2816 wrote to memory of 2912 2816 WScript.exe 89 PID 2816 wrote to memory of 2184 2816 WScript.exe 90 PID 2816 wrote to memory of 2184 2816 WScript.exe 90 PID 2816 wrote to memory of 2184 2816 WScript.exe 90 PID 2912 wrote to memory of 4484 2912 802A3.EXE 91 PID 2912 wrote to memory of 4484 2912 802A3.EXE 91 PID 2912 wrote to memory of 4484 2912 802A3.EXE 91 PID 2912 wrote to memory of 4164 2912 802A3.EXE 92 PID 2912 wrote to memory of 4164 2912 802A3.EXE 92 PID 2912 wrote to memory of 4164 2912 802A3.EXE 92 PID 4484 wrote to memory of 1968 4484 WinHe802.exe 93 PID 4484 wrote to memory of 1968 4484 WinHe802.exe 93 PID 4484 wrote to memory of 1968 4484 WinHe802.exe 93 PID 2184 wrote to memory of 3980 2184 806KK.EXE 94 PID 2184 wrote to memory of 3980 2184 806KK.EXE 94 PID 2184 wrote to memory of 3980 2184 806KK.EXE 94 PID 2724 wrote to memory of 3332 2724 805A1.EXE 95 PID 2724 wrote to memory of 3332 2724 805A1.EXE 95 PID 2724 wrote to memory of 3332 2724 805A1.EXE 95 PID 3980 wrote to memory of 2076 3980 WinHe806.exe 96 PID 3980 wrote to memory of 2076 3980 WinHe806.exe 96 PID 3980 wrote to memory of 2076 3980 WinHe806.exe 96 PID 2184 wrote to memory of 1700 2184 806KK.EXE 97 PID 2184 wrote to memory of 1700 2184 806KK.EXE 97 PID 2184 wrote to memory of 1700 2184 806KK.EXE 97 PID 2724 wrote to memory of 3992 2724 805A1.EXE 98 PID 2724 wrote to memory of 3992 2724 805A1.EXE 98 PID 2724 wrote to memory of 3992 2724 805A1.EXE 98 PID 3332 wrote to memory of 1176 3332 WinHe805.exe 99 PID 3332 wrote to memory of 1176 3332 WinHe805.exe 99 PID 3332 wrote to memory of 1176 3332 WinHe805.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82394930e7babddd90b8eee3610e31e1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ser.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE"C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WinHe805.exe"C:\Windows\system32\WinHe805.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe805.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\805A1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE"C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WinHe802.exe"C:\Windows\system32\WinHe802.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe802.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\802A3.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:4164
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE"C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\WinHe806.exe"C:\Windows\system32\WinHe806.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\WinHe806.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\RarSFX0\806KK.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD58175d021359c94196f0889aa9751cbf2
SHA1df866ef3e1ebd3936bf67f434ced3451ddd07283
SHA256f8f32c7ff3651be6da9e2ba6e4e895f80d3fa972a7ad19c5fef6aafc228dc4c7
SHA5121aae29e9c325480094eb278b0383620addad5ab6c4c1e1b48f73562450fcb146a534176e68e896fc5b0c5ce479a07e3797c673d002a0dbed6f629988304c2d2f
-
Filesize
42KB
MD5adf3af6efb99d70ce9ddeef765e32f4f
SHA1b14d8d1cb165a51bea1f3fb1597df7001e5df3db
SHA256f67b8e3c10acbdf85daacbab9d9ca27cec50a222ec1fcdb404b6e5fb35656b73
SHA512803e11a3f4bf87e552e612ba1379ed0a5c8002ce091c38176d8494b5818f412484d9a0b79119dce4a05b064e14dabcf3eb4a188183308e36c9aa57d38e279cad
-
Filesize
40KB
MD58d830b845e143464d3222f4e9c631faf
SHA119285c840aceacf5b1db3da138974f4a7ca5199e
SHA256a7f1740fc4f5b8206e03e7043e6cc94513088aed616af26cdde09bf102a56827
SHA512df15902c3c6f66c6a8f916d66607ea58d58e9aa5cbb1f5611dc7ad01257ce3dde29deac3d77645e1afe177657cf242d93d2eb2bcb17b37d1fd3e05bf4799e13c
-
Filesize
145B
MD5ff83350d9c17514336796a4da3906d0b
SHA1e8bb59b46e6dd6cb8698c50ad6d64b6c97cf9c6e
SHA256b73bdf9cd15784ee801973306e40e9e43c143e642064423fc93f65cc0d1e661d
SHA512261c8e81e8026723d0f662acbe6a92735c38e5ac6559cc671f1bd0d85400e4e1f274bd22ded5b67f394f569a1f8207071960e52bba7bc092b942a51f1ede3698
-
Filesize
12.3MB
MD58098b3e660cb6d7cf9939a1e2ed92eb1
SHA13e7d9e2a56447a89d91aa384354b5ab6982c41cc
SHA2563ac5b37c5a89432dc637acacf6db96f46c7592fe9b3c9f7aba464176d830db9e
SHA512cd52760e7b56327833bd05ff035f3656c4b38301a6b9e99043b9e40c4904b17391bb6b47acdf82d059b243e62b08e8199d654f45d1889d2d0fc09922989fc3e6
-
Filesize
12.3MB
MD59c6f0423c91a3684a81c390be469a9d5
SHA19207c85669033450a54cecce3694769b17e6b7d4
SHA256edb4dda1e5980695102fa167c750bfbd9945f244a7e759bdf29dbbc1900cb1d9
SHA51283a894ad8ba6b79deb74d0e1fe768fef9c914522a8e8d8f73c288ddd6b1e0364bf211114687a4909416a29373a63b43173f1cdd02490f6ffc002e2be270d65b6
-
Filesize
12.3MB
MD5fa9f077724d37d39cd114c4e76d34b79
SHA192c870e8bd3e33cbf9d858d938812cab3d10c9fc
SHA25609a3c279bb78d8e3d923518adcdb3477c4e6041034fc810da1af799a90d246b4
SHA5121a69ddcca99cab99a4c4f17e1c5282500a8f8e385738fdec1d113ce452f95b219c2292e476fa24bf2542f91db9c074e2412c45101d07b2d8522e33aeca269239