Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 03:33
Static task
static1
Behavioral task
behavioral1
Sample
84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe
-
Size
196KB
-
MD5
84a6f218da295960b72e34589f1fe942
-
SHA1
310fdb763fa8f7801213876b36f83bd445ad8479
-
SHA256
cfd8d05748530fe5e056c03f1ecafeb4b0991e0ab7a0b72d181178c05a3f4586
-
SHA512
b0e928437f8f6899ae597936a1f2313809a636aa0cd2246ad20e457807f5c382016cb863d4d2068a25bdd0c8dea0f437e80df494efcfc00d07779761e921db5f
-
SSDEEP
6144:1o0AWcB3yXobOffM7XEGskP7kzcJ1llipWcInJ:1JoJ1OpW9nJ
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cfilesys\ImagePath = "\"C:\\Windows\\system32\\cfilesys.exe\"" 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1532 ps.exe -
resource yara_rule behavioral2/files/0x0008000000023585-10.dat upx behavioral2/memory/1532-12-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/1532-14-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\cfilesys.exe 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cfilesys.exe 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ps.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes" 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeAuditPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeBackupPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreateTokenPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeDebugPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeLoadDriverPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeLockMemoryPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeMachineAccountPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeRestorePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSecurityPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeShutdownPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemProfilePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemtimePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeAuditPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeBackupPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeCreateTokenPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeDebugPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeLoadDriverPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeLockMemoryPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeMachineAccountPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeRestorePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSecurityPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeShutdownPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemProfilePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeSystemtimePrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 180 wrote to memory of 4568 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 94 PID 180 wrote to memory of 4568 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 94 PID 180 wrote to memory of 4568 180 84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe 94 PID 4568 wrote to memory of 1532 4568 cmd.exe 96 PID 4568 wrote to memory of 1532 4568 cmd.exe 96 PID 4568 wrote to memory of 1532 4568 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84a6f218da295960b72e34589f1fe942_JaffaCakes118.exe"1⤵
- Sets service image path in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ps.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\ps.exe"C:\Users\Admin\AppData\Local\Temp\ps.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4668,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:81⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD5420b954d683e2b197d53efeaeba99c06
SHA1896f9d9e85eab8f75027a6a8efc66985f9c8a315
SHA25616969306883142174b1190225fb9a580bd31983bce486d90e059b42f0c394038
SHA51283a58844491130f3668f4c6ffe9cbe416a58acd740f364b99c3bc1dcdba80b1ff60ecbe3aaf8e033f5c3bdfc2a92cd21506caf480914ae48e55c5233fe73951b
-
Filesize
18KB
MD5b87de8861e17719e856a04de1220afb9
SHA1eb4b4fa99c3ac75d1f49d555ec7769c4c99a604d
SHA2569ba9dca3281e2739c2b4858e456a4b6f64c132c33421eae98b0dacbb7de1030a
SHA51211f12457af35c2e1371a09d36ab7c89db6ef55fb4fd5b808f3af26fa54ddc962001ba03b4e5d60e683be846a9695eb10109a5d59bb08a5532bb757c2cd1d8c5f