Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/08/2024, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe
-
Size
79KB
-
MD5
837fa46ff00e245a0c44bc3cbed6d9d2
-
SHA1
400c43992d8117a366e324c4679c0d9c811cc909
-
SHA256
b1d1256ac76f5442c1a5a4948522c73c879fd7b57c1303275fd5fd5b2295b575
-
SHA512
2d0227bc26baf6cc59f2ce9a9efeb5722fe2c5c28ab257289959add49ad22266beed35c3180182495a53f41da7feee88581f5533f23b8f9750276595fec980ae
-
SSDEEP
1536:VdzCU+0GptrrZk4Rn4TzTlqW7qx8OJabmGDf/EIpY00EdsVhz02p:VlC2gtrrRnGFqbxaHDf/Ex0Bs7
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\ykkrpd.exe comsysapp" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\ykkrpd.exe comsysapp" regedit.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\COMSysApp\ImagePath = "C:\\Program Files\\Common Files\\Microsoft Shared\\ykkrpd.exe comsysapp" regedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation rundll32.exe -
Deletes itself 1 IoCs
pid Process 5684 rundll32.exe -
Loads dropped DLL 3 IoCs
pid Process 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 5604 rundll32.exe 5684 rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\ykkrpd.exe rundll32.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ykkrpd.exe rundll32.exe File created C:\Program Files\Common Files\Microsoft Shared\ykkrpd.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5788 1388 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 5628 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe 5684 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe Token: SeDebugPrivilege 5684 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1388 wrote to memory of 5604 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 91 PID 1388 wrote to memory of 5604 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 91 PID 1388 wrote to memory of 5604 1388 837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe 91 PID 5604 wrote to memory of 5628 5604 rundll32.exe 92 PID 5604 wrote to memory of 5628 5604 rundll32.exe 92 PID 5604 wrote to memory of 5628 5604 rundll32.exe 92 PID 5604 wrote to memory of 5684 5604 rundll32.exe 93 PID 5604 wrote to memory of 5684 5604 rundll32.exe 93 PID 5604 wrote to memory of 5684 5604 rundll32.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\837fa46ff00e245a0c44bc3cbed6d9d2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\ykkrpdreg.dll",polmxhat2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Windows\SysWOW64\regedit.exeregedit.exe -s "C:\Users\Admin\AppData\Local\Temp\ykkrpdreg.reg"3⤵
- Sets service image path in registry
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:5628
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\Common Files\Microsoft Shared\ykkrpd.dll",polmxhat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 25162⤵
- Program crash
PID:5788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 13881⤵PID:5764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD526697f0710476371b6836482b4a6df93
SHA1da52c1a674fd6e1a194f5872f0275f59f9c7a382
SHA256dcbab2c5ef2124e772b9e4806eeff0693c45f278408b23eea84c1dde0816679c
SHA512c1c3b3799e72a8dc1859362aa28c83f570cb65b80823cf18d1157dd4234c8f7c17b5eefecaabb358f2ef469b925b8b01868e222d8df942b5a5fded440f99399b
-
Filesize
1KB
MD5604a7cef7ab7406d293d24ade00ba34e
SHA1d630eade60550ca8b5a0cf36df12e634e8ed15b1
SHA25639afe7a98675f4347845a9ae8f8692ace30fdaed30aa434881c8b80d0bd34456
SHA512b704e8efc0961eb40e9613a78b386fd51e8c64d71e7b03335d66bd8ae318da6dffe4803f0aebb0160ea38a06557d8522ea8b70e0e72d5adc3efe60eb526b7af0