Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 16:05
Behavioral task
behavioral1
Sample
86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe
-
Size
195KB
-
MD5
86bbb58ee7fa37d1515e09e04131c33c
-
SHA1
73789bc9a05acd59e779e98c60143d3d49a541d0
-
SHA256
aef95097fc81601e1ac609617b5a27cec09832cb71267d7722edaa0f32dc2233
-
SHA512
3460848dd5d766c13ab3335d853862b1ba99435f0f73485e5efb25b400c72bdc11e472bc94cde7d28797ebd18e6dca86916f4cee766f3f44dbd53e1d7bb51fb0
-
SSDEEP
3072:tuHUJU+1l8nSCXOKcSZfuj014yxCAeEYs9a3nGtg0d50pnjdWsCbcNJL5sBot:tuHIU3SCXOM31Gs48xmj0sFNJLqq
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SCVHSOT.exe" 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/2432-0-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/files/0x000700000002348b-5.dat upx behavioral2/memory/2432-45-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-46-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-47-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-48-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-49-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-50-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-51-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-52-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-53-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-54-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-55-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-56-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-57-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-58-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral2/memory/2432-59-0x0000000000400000-0x000000000047C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\SCVHSOT.exe" 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\j: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\l: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\p: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\s: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\t: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\x: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\a: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\e: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\h: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\m: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\r: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\u: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\v: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\b: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\i: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\k: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\n: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\q: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\o: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\w: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\y: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened (read-only) \??\z: 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SCVHSOT.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File created C:\Windows\SysWOW64\blastclnnn.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\blastclnnn.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File created C:\Windows\SysWOW64\setting.ini 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\setting.ini 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File created C:\Windows\SysWOW64\SCVHSOT.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\hinhem.scr 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File created C:\Windows\SCVHSOT.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe File opened for modification C:\Windows\SCVHSOT.exe 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1624 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 84 PID 2432 wrote to memory of 1624 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 84 PID 2432 wrote to memory of 1624 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 84 PID 1624 wrote to memory of 4552 1624 cmd.exe 86 PID 1624 wrote to memory of 4552 1624 cmd.exe 86 PID 1624 wrote to memory of 4552 1624 cmd.exe 86 PID 2432 wrote to memory of 2696 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 87 PID 2432 wrote to memory of 2696 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 87 PID 2432 wrote to memory of 2696 2432 86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe 87 PID 2696 wrote to memory of 1168 2696 cmd.exe 89 PID 2696 wrote to memory of 1168 2696 cmd.exe 89 PID 2696 wrote to memory of 1168 2696 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86bbb58ee7fa37d1515e09e04131c33c_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\blastclnnn.exe3⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD586bbb58ee7fa37d1515e09e04131c33c
SHA173789bc9a05acd59e779e98c60143d3d49a541d0
SHA256aef95097fc81601e1ac609617b5a27cec09832cb71267d7722edaa0f32dc2233
SHA5123460848dd5d766c13ab3335d853862b1ba99435f0f73485e5efb25b400c72bdc11e472bc94cde7d28797ebd18e6dca86916f4cee766f3f44dbd53e1d7bb51fb0
-
Filesize
100B
MD51f7b2b0b7fdb9e6ab44f27fa034a9834
SHA1dd2ebd286f752afb45f4675886bd5a520fc9422a
SHA2568dfa6f42f3f8d4c5eb29baf81c7e63f7d7555894d31fb6ed318544c0df1198d8
SHA512e691f8e3258cf2075ec0ecfdd35db80368e3c0bd8c42e715791cb904bed1119a8d227d90fb35a43f927818a22cfaedf200466919881376f8a4656ecd602bb65e
-
Filesize
148KB
MD5beaa84717044c61671b9cab28763dbef
SHA145862824ce5629a71bb768614db1d1f90d199000
SHA25687249cadccdff2753754c031c58f19fc999ceb1d6933610ae63fce34f69c3243
SHA512f201fc3dcc89abf369fe6e2b1a5f85a4e2bf4e43e3611ca811699b5156db5ae359af58f8d377e17544a4fa3335c1fa75de0dc219fb384304b3db1c48bfa1e466