Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/08/2024, 16:49
240811-vbshgaxhqn 711/08/2024, 16:43
240811-t8m4ksxgmp 811/08/2024, 16:43
240811-t8bqjsxglp 711/08/2024, 16:37
240811-t4xgfssbrg 711/08/2024, 16:36
240811-t4j65axerk 711/08/2024, 16:33
240811-t2qacsxelp 7Analysis
-
max time kernel
1790s -
max time network
1793s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/08/2024, 16:49
General
-
Target
8b1ca6608cf833fa62650ec0ab9310d6_JaffaCakes118.exe
-
Size
23KB
-
MD5
8b1ca6608cf833fa62650ec0ab9310d6
-
SHA1
f9587d784e3dfdbbd2779b5236ce95cfa750eafe
-
SHA256
463bef1a5e059c9ad7e46e7e71f580d36335b0ac7fd3cbb165d88ded95cc5320
-
SHA512
934b6b38d813777ba0fb733e588ef4af5718bbe00ee401253952b66b3f6a154f1e570408b1c2cf820cf4c9d5085b12172fda577345f242bfda8881c4454ebd45
-
SSDEEP
384:J5EhiDq9F5KRvhZfqic+hOzAaXNHpOukAaCNoNLFlZgM+GPCc/k1:JGUq9vKxhZfA+hOzAadJOxCNoTlZgM+T
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/8-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b1ca6608cf833fa62650ec0ab9310d6_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 424 msedge.exe 424 msedge.exe 1520 msedge.exe 1520 msedge.exe 2368 msedge.exe 2368 msedge.exe 2072 identity_helper.exe 2072 identity_helper.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe 5024 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 424 wrote to memory of 5000 424 msedge.exe 85 PID 424 wrote to memory of 5000 424 msedge.exe 85 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1464 424 msedge.exe 86 PID 424 wrote to memory of 1520 424 msedge.exe 87 PID 424 wrote to memory of 1520 424 msedge.exe 87 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88 PID 424 wrote to memory of 3336 424 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b1ca6608cf833fa62650ec0ab9310d6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b1ca6608cf833fa62650ec0ab9310d6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4b403cb8,0x7fff4b403cc8,0x7fff4b403cd82⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:82⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:12⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,11861001621350184115,537188008011936208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5016 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a449e00a4d06b2cdc37542e879b87f41
SHA1a532a4e792b799b60a63aad87f78bd8195c98853
SHA256f4483d6dc1224c9cb2613c61a066b9acaffa25c3f0a4a085aa5babf6a570d761
SHA512f035284f42f45992823987fa403b0373ecbb639ccfc8925f7db867af1a9e8d5e35fbeeea18ebc20d95657776aee610dd25d999e8b3be8ddd6a1ff7febdb9bc12
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD5f7955d00d4d94ff810b3c2537335d5e7
SHA1364fc2affd696fe5e709cd79c1737668734b2d1c
SHA256fbb9574de272911209c7736faa93480fd06bb5f757cac3f3295cc20251fdfbca
SHA512382aa90c3aa257b71c87130337bea27f5d93d6d017d52423504a5706801e3af2c12b1020ce41f0c756f805438d9b9b6fecf1daffc8fabb160f0ea7fd71e6d44f
-
Filesize
5KB
MD52217c3b1712175a6c016d00319faa973
SHA1d73055a745c23d1a9ed37136fe5755b062f924be
SHA256a0a1aae91a868557df8aebb6bf7f2aab4c10adb3590f6a5a759bffb440ee57c2
SHA5123a087dd2e53d66f6e7c6b5a6b97565ddffc860f41176df7d921b9fea03bc245498730ec5102ad58b903ae83aa8dfdb4a14c2f19ed4969a2d54b9a5bbbbddc580
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD59e338da1c104ede10e0e7729dd9db0ee
SHA12a12cc69bfa2ce728a03c8a5915a9c7ea3f1c7d1
SHA25624fbd6a6f7b364b99a636c7d02f596060c43ec0714f216b7ec6c7e3174fb3362
SHA512b9e3f70bfa82ae9c21aca7ddefc0f77e233b15c667432ff67890c879e4a5de592ca22a3c3d77689e948c75f545fbc75d15303d74fd9906716f3a7142d09dc776