Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 05:06
Static task
static1
Behavioral task
behavioral1
Sample
8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe
-
Size
812KB
-
MD5
8d6e16652255248faf57ad57c890c36d
-
SHA1
4403ef0c6b8ca2f0d66a5d1ab8fab014bc6d7a74
-
SHA256
15248611bb13ad117b920beab27b4127548d507a404a221db8cdb6f48245c852
-
SHA512
668965db931da5c620ac59b84b79d70edb04af7df09bee95147b8b350bc11992686a3f7c34747b68a714826b10ff49a27fa23098df4441975ae85859debda5e0
-
SSDEEP
24576:g8QT6rzvo4ZD1yiQQNN3iR1n7HNhf1zRZ27n0:R5AQH817HNhvSn
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskmngr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate taskmngr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskmngr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate taskmngr.exe -
Executes dropped EXE 4 IoCs
pid Process 1944 taskmngr.exe 3700 taskmngr.exe 2780 taskmngr.exe 4452 taskmngr.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\taskmngr.exe 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskmngr.exe 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskmngr.exe taskmngr.exe File created C:\Windows\SysWOW64\taskmngr.exe taskmngr.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmngr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmngr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmngr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskmngr.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32\ThreadingModel = "Both" 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\kvCEdfzzjLcc = "hHMbU`fiPLa_PWc`yTjS~hEI" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jctpmezfLXV = "B^pVVtvlz@EjEyQrJ\x7fEmhPxmUryT}]ta" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\tpfdyldrkrO = "mY\x7fOa|Aq{[]vNOh_M{MZ" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\jctpmezfLXV = "B^pVVtvlz@EiEyQrJ\x7fEnhPxmUryT}]ta" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\qiAucm = "}dQ}YRgc_uK{OTsmgczjG~nv" taskmngr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC} 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\Containers 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windowscodecs.dll" 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\kOfZEUyGexdHu = "\x7fOdI]omZ}LpCUwdk" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\zwcJmdrjcyto = "F`" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\QjeSnhtmp = "|bluy^Z_{poxUBg@" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\zwcJmdrjcyto = "^p" taskmngr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF76B5A2-CA3A-E66F-A851-28D5F2D1CFEC}\qiAucm = "}dQ}YRgc_uK{OT\x7fmgczj{q{S" taskmngr.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\ProgramData\TEMP:5D2892D9 taskmngr.exe File created C:\ProgramData\TEMP:5D2892D9 taskmngr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: 33 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Token: 33 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe Token: 33 3700 taskmngr.exe Token: SeIncBasePriorityPrivilege 3700 taskmngr.exe Token: 33 3700 taskmngr.exe Token: SeIncBasePriorityPrivilege 3700 taskmngr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 3196 wrote to memory of 4936 3196 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 84 PID 4936 wrote to memory of 1944 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 88 PID 4936 wrote to memory of 1944 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 88 PID 4936 wrote to memory of 1944 4936 8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe 88 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 1944 wrote to memory of 3700 1944 taskmngr.exe 89 PID 3700 wrote to memory of 2780 3700 taskmngr.exe 97 PID 3700 wrote to memory of 2780 3700 taskmngr.exe 97 PID 3700 wrote to memory of 2780 3700 taskmngr.exe 97 PID 2780 wrote to memory of 4452 2780 taskmngr.exe 98 PID 2780 wrote to memory of 4452 2780 taskmngr.exe 98 PID 2780 wrote to memory of 4452 2780 taskmngr.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\taskmngr.exeC:\Windows\system32\taskmngr.exe 1308 "C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\taskmngr.exeC:\Windows\system32\taskmngr.exe 1308 "C:\Users\Admin\AppData\Local\Temp\8d6e16652255248faf57ad57c890c36d_JaffaCakes118.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\taskmngr.exeC:\Windows\system32\taskmngr.exe 1476 "C:\Windows\SysWOW64\taskmngr.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\taskmngr.exeC:\Windows\system32\taskmngr.exe 1476 "C:\Windows\SysWOW64\taskmngr.exe"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99B
MD5c8f60cda1b25f5042de2c46674d3fd62
SHA19f6a5e1f67acacae691478db64aef4c9db6d90b6
SHA2568623a5b7b2de2c770704e1aec2c89e543e1f45335e5567ce904059138deff281
SHA5128dc9e4ec941095dda3ae1dd740a89ea0b4e3e140144e2e74f149d3b77b11f2639d99fa24ad1c4b7cf67943f184420bf3aaf16d916a32982f0f9ef0469494cd28
-
Filesize
812KB
MD58d6e16652255248faf57ad57c890c36d
SHA14403ef0c6b8ca2f0d66a5d1ab8fab014bc6d7a74
SHA25615248611bb13ad117b920beab27b4127548d507a404a221db8cdb6f48245c852
SHA512668965db931da5c620ac59b84b79d70edb04af7df09bee95147b8b350bc11992686a3f7c34747b68a714826b10ff49a27fa23098df4441975ae85859debda5e0