Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 17:39
Behavioral task
behavioral1
Sample
a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe
-
Size
960KB
-
MD5
a37e2dafe191e2b5032816242f442fee
-
SHA1
d71d8488eaf31ab93eefd44833f93a32c063f479
-
SHA256
a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371
-
SHA512
de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094
-
SSDEEP
24576:HwU/UwhWvS3u9OvUisQM6GcC1pfnnnDolPNl3HpM5b:HZU8W81vdMcUfnnDIZpMB
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023437-111.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4176 shdocvw.exe 1656 svchost.exe 1172 updater.exe 2344 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 svchost.exe 2344 svchost.exe -
resource yara_rule behavioral2/memory/3208-0-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral2/files/0x0007000000023433-3.dat upx behavioral2/memory/3208-6-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral2/files/0x0007000000023434-92.dat upx behavioral2/memory/1656-93-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/files/0x0007000000023438-95.dat upx behavioral2/memory/4176-101-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral2/memory/1656-105-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/files/0x0007000000023437-111.dat upx behavioral2/memory/2344-115-0x0000000004270000-0x000000000428D000-memory.dmp upx behavioral2/memory/1172-122-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral2/memory/2344-123-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/2344-124-0x0000000004270000-0x000000000428D000-memory.dmp upx behavioral2/memory/2344-125-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/2344-129-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/2344-139-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/2344-152-0x0000000004270000-0x000000000428D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\shdocvw = " C:\\Program Files (x86)\\F53304\\shdocvw.exe " reg.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files (x86)\F53304\svchost.exe shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\svchost.exe shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\Plugins\Uploading.plg shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\runer.bat shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\updater.exe shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\Svchost.lst shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\svchost.exe.manifest svchost.exe File opened for modification C:\Program Files (x86)\F53304\svchost.ini svchost.exe File opened for modification C:\Program Files (x86)\F53304\shdocvw.exe a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe File created C:\Program Files (x86)\F53304\svchost.ini shdocvw.exe File created C:\Program Files (x86)\F53304\updater.exe shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\Svchost.ini shdocvw.exe File created C:\Program Files (x86)\F53304\lst.txt shdocvw.exe File created C:\Program Files (x86)\F53304\svchost.exe.manifest svchost.exe File created C:\Program Files (x86)\F53304\svchost.log svchost.exe File opened for modification C:\Program Files (x86)\F53304\svchost.lst svchost.exe File opened for modification C:\Program Files (x86)\F53304\svchost.log svchost.exe File opened for modification C:\Program Files (x86)\F53304\shdocvw.exe updater.exe File opened for modification C:\Program Files (x86)\F53304 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe File created C:\Program Files (x86)\F53304\shdocvw.exe a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe File created C:\Program Files (x86)\F53304\runer.bat shdocvw.exe File opened for modification C:\Program Files (x86)\F53304 shdocvw.exe File opened for modification C:\Program Files (x86)\F53304\svchost.ini shdocvw.exe File created C:\Program Files (x86)\F53304\Plugins\Uploading.plg shdocvw.exe File created C:\Program Files (x86)\F53304\version.txt shdocvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shdocvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3208 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe 3208 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe 1172 updater.exe 1172 updater.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe 2344 svchost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3208 wrote to memory of 4176 3208 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe 84 PID 3208 wrote to memory of 4176 3208 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe 84 PID 3208 wrote to memory of 4176 3208 a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe 84 PID 4176 wrote to memory of 4924 4176 shdocvw.exe 87 PID 4176 wrote to memory of 4924 4176 shdocvw.exe 87 PID 4176 wrote to memory of 4924 4176 shdocvw.exe 87 PID 4924 wrote to memory of 1964 4924 cmd.exe 90 PID 4924 wrote to memory of 1964 4924 cmd.exe 90 PID 4924 wrote to memory of 1964 4924 cmd.exe 90 PID 4176 wrote to memory of 1656 4176 shdocvw.exe 91 PID 4176 wrote to memory of 1656 4176 shdocvw.exe 91 PID 4176 wrote to memory of 1656 4176 shdocvw.exe 91 PID 4176 wrote to memory of 1172 4176 shdocvw.exe 92 PID 4176 wrote to memory of 1172 4176 shdocvw.exe 92 PID 4176 wrote to memory of 1172 4176 shdocvw.exe 92 PID 1656 wrote to memory of 2344 1656 svchost.exe 94 PID 1656 wrote to memory of 2344 1656 svchost.exe 94 PID 1656 wrote to memory of 2344 1656 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a37e2dafe191e2b5032816242f442fee_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Program Files (x86)\F53304\shdocvw.exe"C:\Program Files (x86)\F53304\shdocvw.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\F53304\runer.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v shdocvw /t REG_SZ /d " C:\Program Files (x86)\F53304\shdocvw.exe " /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1964
-
-
-
C:\Program Files (x86)\F53304\svchost.exe"C:\Program Files (x86)\F53304\svchost.exe" /stealth3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files (x86)\F53304\svchost.exe"C:\Program Files (x86)\F53304\svchost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2344
-
-
-
C:\Program Files (x86)\F53304\updater.exe"C:\Program Files (x86)\F53304\updater.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59b832a7221a6ea972bd0279ef7f023a6
SHA1d730b041f0f55a8203cd250454ec410fb9b10ac8
SHA256f75a34a8859a42bd79eafd2975d316334cf88c78815692e232d663385d8d95ba
SHA5122315d037498f5a44e7f6124dcb7508294ca66a9900fdf7daeed67d87a6c9c05272bb68192dea057fb47f51b2465cc87b7a39d5b7759abd4bdae3fd46ec31016f
-
Filesize
7KB
MD55c75256ff15177fadac5c895c962b733
SHA1e90e0c7a8be93e60dc3410157c38d7d3f732b88f
SHA25662f1c6afca91811f41c42ddb85464a4ddf0787793a079a68587c1a0f0b53c5d3
SHA512f2c18915b819fe7d8362a1875a360e36402245eff7e3980f628b0c0a07194378a0c7096e14ffe111bbfe56b46f8cae9c2a1b7993eda08e997da308cd313bf9cb
-
Filesize
35KB
MD5b53aa2d38566d4e21c3c914c2aa650f6
SHA12d1e2add2c7b0dcc5cb1cc124a4bece34854d11d
SHA256925deb907ac4b6988c3da7acd5a12456bd544d40327ba26d1841ce0d9d4ed1c4
SHA51235d3899d58c4cb8d66566903091a587a32c572bd86da48642b3405218624a2384d3360fc528aeb43f3b77ec1170b16c116be2bf49fe79a7608c59caf81f8c95a
-
Filesize
156B
MD54e8178e43142a785c4ce9e0a0f071e2e
SHA1b6f6310db8bc31982116d91a3a94cca485b929e0
SHA25693a8384ccc63206556223808850ef24da47cecf6db9c9007a5d891003d9bd805
SHA512ce04af05cfa6ec003d60c19a104c2b2fe85d54b2a8857211973d48defe6cb7b7d4a8767123aa23ef05717bc66cbbb7c4a3c25d81b81b97ac470e72cefede117b
-
Filesize
960KB
MD5a37e2dafe191e2b5032816242f442fee
SHA1d71d8488eaf31ab93eefd44833f93a32c063f479
SHA256a828fe824249c9965db6d964a6fbb701f148aada1b56d9a39b58129beb537371
SHA512de25c76803ebd5296ed06fde3c648168da225150d5bf09766747beee0351b34ffb4e8832f333b46cda0b1ae426175565674e78d6838a6d874eaa748465cec094
-
Filesize
535KB
MD557c3d3cd8d2c2863ce09cd1f41836718
SHA14ad095d123bc76f1082bbc66d20bb8836df712cd
SHA2563932741f0829f9756acd0ef8c549b6b0676f0f61293ea3ce91440370ca8f8dd4
SHA512380788dccd69b8261a47bfe0dc7498ab72e32ba614f534e50de64366c3a7627fcd04f49df590196ad19bb8e1b0d3bb5f1749f3da4029690e2363f1661ebd8f42
-
Filesize
2KB
MD527344e37729b1c50c8d3588bbf31aa66
SHA1c67926b3ce609819e58cebd94b988d62cac1d27d
SHA256bd8cf293f2029b692478bc4187f3a3d9dd29210631d66cd83e9d2c4498b165e8
SHA51216e94038b1b26f1908bc6d4d97a862384f3398c5a05127e3d98d91fcd7971f9aa85c0280250221a9e8f63671f9932b323fd899eca07be705aa9a3d481824d5c0
-
Filesize
202KB
MD5fc438aff60f8040bfee7713a4ea2fc5d
SHA102104d5d1c56897fe1de0f63db35aa9094af533d
SHA256697bd104278f0bc1ae965a3fe415db2d19729ac15bc7f68e826401067537894c
SHA512d2e55a0006e1f35e44124a6911c394849c59c6d4dd6e1dfaa3c9298589186465b88b394c406ab4150ae86d8a61f61329d4bf3879cc81323c19e152e9babe4f17