Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
94b34b7231308938091277a347d65ec5_JaffaCakes118.exe
-
Size
48KB
-
MD5
94b34b7231308938091277a347d65ec5
-
SHA1
00c6057646e4cf049c16346745e9dd91b3945267
-
SHA256
d78a3a8487ba2d2edd69261a9c3f7f240cc80280e80037ed0cdb464244d7fdfb
-
SHA512
9ad2d86dc0ae44858002364314af0c15a581d891383dedbdb2f74265146ad206c4ae286d02f7877f2416e20fdcd6886cb2a30ffd24f45bd84c643ddbc738de4e
-
SSDEEP
768:/9lIR05Et09xadDN0qsbKaocSyQCk4zsHG:/9lh5V5uDCXYHG
Malware Config
Signatures
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4548 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4380 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 91 PID 4216 wrote to memory of 4380 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 91 PID 4216 wrote to memory of 4380 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 91 PID 4380 wrote to memory of 2864 4380 cmd.exe 93 PID 4380 wrote to memory of 2864 4380 cmd.exe 93 PID 4380 wrote to memory of 2864 4380 cmd.exe 93 PID 2864 wrote to memory of 5068 2864 net.exe 94 PID 2864 wrote to memory of 5068 2864 net.exe 94 PID 2864 wrote to memory of 5068 2864 net.exe 94 PID 4380 wrote to memory of 3408 4380 cmd.exe 95 PID 4380 wrote to memory of 3408 4380 cmd.exe 95 PID 4380 wrote to memory of 3408 4380 cmd.exe 95 PID 3408 wrote to memory of 60 3408 net.exe 96 PID 3408 wrote to memory of 60 3408 net.exe 96 PID 3408 wrote to memory of 60 3408 net.exe 96 PID 4380 wrote to memory of 5116 4380 cmd.exe 97 PID 4380 wrote to memory of 5116 4380 cmd.exe 97 PID 4380 wrote to memory of 5116 4380 cmd.exe 97 PID 5116 wrote to memory of 4500 5116 net.exe 98 PID 5116 wrote to memory of 4500 5116 net.exe 98 PID 5116 wrote to memory of 4500 5116 net.exe 98 PID 4380 wrote to memory of 4548 4380 cmd.exe 99 PID 4380 wrote to memory of 4548 4380 cmd.exe 99 PID 4380 wrote to memory of 4548 4380 cmd.exe 99 PID 4380 wrote to memory of 4256 4380 cmd.exe 100 PID 4380 wrote to memory of 4256 4380 cmd.exe 100 PID 4380 wrote to memory of 4256 4380 cmd.exe 100 PID 4380 wrote to memory of 4116 4380 cmd.exe 101 PID 4380 wrote to memory of 4116 4380 cmd.exe 101 PID 4380 wrote to memory of 4116 4380 cmd.exe 101 PID 4380 wrote to memory of 2792 4380 cmd.exe 102 PID 4380 wrote to memory of 2792 4380 cmd.exe 102 PID 4380 wrote to memory of 2792 4380 cmd.exe 102 PID 4216 wrote to memory of 3172 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 107 PID 4216 wrote to memory of 3172 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 107 PID 4216 wrote to memory of 3172 4216 94b34b7231308938091277a347d65ec5_JaffaCakes118.exe 107 PID 3172 wrote to memory of 1596 3172 cmd.exe 109 PID 3172 wrote to memory of 1596 3172 cmd.exe 109 PID 3172 wrote to memory of 1596 3172 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\94b34b7231308938091277a347d65ec5_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sseg.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\net.exenet stop "central de seguranτa"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "central de seguranτa"4⤵
- System Location Discovery: System Language Discovery
PID:5068
-
-
-
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc4⤵
- System Location Discovery: System Language Discovery
PID:60
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:4500
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start = disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4548
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 0x00000001 /f3⤵
- System Location Discovery: System Language Discovery
PID:4256
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000001 /f3⤵
- System Location Discovery: System Language Discovery
PID:4116
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 0x00000001 /f3⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ocx.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\regsvr32.exeRegsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\MSINET.OCX3⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:81⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
795B
MD55d8d79c3cb9af023240b1be6f5057aaa
SHA1df22980677b134e83d878893f7c7984e0d78a240
SHA256e8b101a7c7f64aad528cc734513cbeb02243c0af37930dc0f3239749cff184b6
SHA51266f432b622cee0bcc06cbc0f833de1471ea36c295b4cd93eb848d97e69c2252acd2fc8972db51ea35475a424f4d6cb5001325525fb04f71b8704eb24de1c4008
-
Filesize
8KB
MD573e349893791986dcaa2d00900e6c443
SHA11ef841cc0895227f22999157a058e54471888dc5
SHA256a0454849d2ee1369f82c44e820f3980475930a6f1941fc33f099665b63a6b1d2
SHA512a20a7ff3f18743583aa8b2f15409b63ce7223096263ebcac82f61d68591f92ffc582a7d03c3e14f31c64555d1ebfb80872cae7de92191d4c6ffc750aad8d5747
-
Filesize
49KB
MD50d076d1dfb811f069a205464633364d9
SHA1631821b3886311ea9d2f57976f1e423df922d6c5
SHA25679c150df7f0a5e3d2492816e514cda1a4eba65a224dee50f04f319fb0ec09889
SHA512841744fcfad6d95968f09900edc96165b71ccc3a6aaf143432f888b849f1014191ff90a40f6a43129d27978dad73fba0ef10bcdb61c6083e823f0c267df65df0
-
Filesize
79B
MD58024b884c962eb4d4173937815862d4a
SHA1705948046cf10f04d969ba2ebaac0d9ec5890ff4
SHA256dd7a4118ad940887b5ff318001e1841b994c9c1f83571708b49a9b1290fb9d9f
SHA51211b3b313c35785ec437b47e422a3ce23ca602f727d784b4f804b9ea876b08eebf97b9dfe6fd4f5540e109e6b082466e8678884f3d886b279e4269bcd9a8ddaba
-
Filesize
598B
MD5b632bdffd9eea8a8bdef34fe54422ee2
SHA17221ff2239f23b2d25d54202fcfa4e38bdd4203b
SHA25634f2d00d5de8476b29f033031933967391afd0a882f95bf751614066d870b601
SHA5124ef975151aad95ee03136eb6be819ad8115350e9e328b13c0fcb774f4e8584b840859ad98a418d34be86ce79965a8e4529cb55a696b37dd007c9c3b6a423ec82