Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe
-
Size
77KB
-
MD5
a36e54cd1cc3d386f74fa3c8ccdaa71b
-
SHA1
875819d86f5f6f3c086b63b32fc973e0b60f897d
-
SHA256
5137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4
-
SHA512
88cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f
-
SSDEEP
1536:E4j/n/LaHhf7P+ifYQBS0746W9N6Gjb7c2KXls20mRuYW8x+j:ljvjx3FKlluYWE+j
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2524 msiconf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec.exe = "msiconf.exe" a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\msiconf.exe a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe File created C:\Windows\SysWOW64\msiconf.exe msiconf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64 msiconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0835250E-5CBD-11EF-98CC-562BAB028465} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CB10F65A-5CBC-11EF-98CC-562BAB028465} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2524 msiconf.exe 2524 msiconf.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4924 iexplore.exe 2524 msiconf.exe 2524 msiconf.exe 2524 msiconf.exe 1056 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4924 iexplore.exe 4924 iexplore.exe 4940 IEXPLORE.EXE 4940 IEXPLORE.EXE 2524 msiconf.exe 1056 iexplore.exe 1056 iexplore.exe 1136 IEXPLORE.EXE 1136 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2524 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 84 PID 1048 wrote to memory of 2524 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 84 PID 1048 wrote to memory of 2524 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 84 PID 1048 wrote to memory of 2196 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 85 PID 1048 wrote to memory of 2196 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 85 PID 1048 wrote to memory of 2196 1048 a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe 85 PID 4924 wrote to memory of 4940 4924 iexplore.exe 103 PID 4924 wrote to memory of 4940 4924 iexplore.exe 103 PID 4924 wrote to memory of 4940 4924 iexplore.exe 103 PID 1056 wrote to memory of 1136 1056 iexplore.exe 117 PID 1056 wrote to memory of 1136 1056 iexplore.exe 117 PID 1056 wrote to memory of 1136 1056 iexplore.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a36e54cd1cc3d386f74fa3c8ccdaa71b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\msiconf.exeC:\Windows\system32\msiconf.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A36E54~1.EXE >> nul2⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2980
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14B
MD57fdf22ea47b6439bff8c6577db2d5f2f
SHA1742940d7eabbf4ef6d6b2fd61750f14474d41f3b
SHA2569b7e80ae7887e2b78defc5d77d27d38e2420ecdb8581e1633194a99a8735fec0
SHA51249ad17bf2d37efb10e86993a771d6fc146be4dc6304fda0aceae45c6d11c72a1589756f4220cbca7e83ee04e7930129df00b1dfc53370dde01f9932ec78145d9
-
Filesize
77KB
MD5a36e54cd1cc3d386f74fa3c8ccdaa71b
SHA1875819d86f5f6f3c086b63b32fc973e0b60f897d
SHA2565137432a6375cb9052c13df3eaf2a310a2a419f2a03b800f692d5102de38e0b4
SHA51288cc3970c2a682e39ab61597aa95bff9a38ee662daed10a0c63844060f6ba88ec952d088d9586c753d74620d24d8de6012a9b51459b09016bee8c7e00244501f