Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe
-
Size
24KB
-
MD5
a9db6c03c9ddf1ca0308c40781c11f43
-
SHA1
68cf505a3e033a3b863fe52b16fea2cf6347aa16
-
SHA256
bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa
-
SHA512
86562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd
-
SSDEEP
192:teOtaGSJAeBqaVKwlf3e4gbZdH0dHRdHwdHPH1SdHB18GZCju11K7kvBPOnT3Uvb:MMGPVx3ehVqrmuJk2VvBR
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe LSFPRN.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0" LSFPRN.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe LSFPRN.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0" LSFPRN.EXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation LSFPRN.EXE -
Executes dropped EXE 1 IoCs
pid Process 2936 LSFPRN.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PrinterSecurityLayer = "C:\\Windows\\LSFPRN.EXE" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PrinterSecurityLayer = "C:\\Windows\\LSFPRN.EXE" LSFPRN.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\44upd.dll a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\44upd.dll LSFPRN.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\LSFPRN.EXE a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe File created C:\Windows\iexplore.htm LSFPRN.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSFPRN.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" LSFPRN.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126013" IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1" LSFPRN.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126013" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\ a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\ LSFPRN.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126013" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30709751fdf1da01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202b9c51fdf1da01 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1354192763" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7C444116-5DF0-11EF-AC6B-D20DFB866B4D} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1352004898" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1352004898" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\IEFileProtect = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe" a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f00000000020000000000106600000001000020000000fb11abe768b8685ca61651c9d3d190fcefcd612bde20b57ed4e9c4bce50da1e4000000000e8000000002000020000000ef4bb44c2e90fba7b8c15c48ee7c329287d7059bec74c1f0135af0f23fab897020000000c63d00f4b7f0facaf2dfe23f070c99d7a46c4002558a2af94775e9767383852940000000c3e8b62db3141d31f1750307f478365f888de86efc388f1308ef5420cb2aebae9501a38d28e20a58c0a829ed461addac7a1caff073389d0c0dd12626cedf4c8f IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f00000000020000000000106600000001000020000000ca3117de70c4b1c633a3b60e8febb852758e8247add7f9ea0cabb0cd1ba10103000000000e8000000002000020000000e109ae8baf2da59d3d90b3fbcdc1cfe718f69494f6f020f64a580991845fae2d200000002744d92b09a89da63e4939b76142ab6941d5fd870dcbdf2fcadfcbaf898ec9a7400000005ef18a59be94da04b54a4b92af36837de3122d4a74c8f64835ba4dd318ac3d56a9f6d48fb09bb175b186e5e025d241064f3f318aa06795725c93d58d1a306b79 IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2340 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2340 IEXPLORE.EXE 2340 IEXPLORE.EXE 916 IEXPLORE.EXE 916 IEXPLORE.EXE 916 IEXPLORE.EXE 916 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4616 wrote to memory of 2936 4616 a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe 87 PID 4616 wrote to memory of 2936 4616 a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe 87 PID 4616 wrote to memory of 2936 4616 a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe 87 PID 2936 wrote to memory of 116 2936 LSFPRN.EXE 106 PID 2936 wrote to memory of 116 2936 LSFPRN.EXE 106 PID 2936 wrote to memory of 116 2936 LSFPRN.EXE 106 PID 116 wrote to memory of 2340 116 iexplore.exe 107 PID 116 wrote to memory of 2340 116 iexplore.exe 107 PID 2340 wrote to memory of 916 2340 IEXPLORE.EXE 108 PID 2340 wrote to memory of 916 2340 IEXPLORE.EXE 108 PID 2340 wrote to memory of 916 2340 IEXPLORE.EXE 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9db6c03c9ddf1ca0308c40781c11f43_JaffaCakes118.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\LSFPRN.EXE"C:\Windows\LSFPRN.EXE"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Windows\iexplore.htm3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\iexplore.htm4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5a9db6c03c9ddf1ca0308c40781c11f43
SHA168cf505a3e033a3b863fe52b16fea2cf6347aa16
SHA256bf0b459c3c9d8a26636157fb8b9c693df0b75f7ded288ebafe8d6374853176fa
SHA51286562dd907d42da3c422ab7230f298bab68fe35669e828782b97e66a2d23a07fc41906fdf4d780443c5f5803067f6dae4a21ed6081cb67234b022e47dcabb2bd
-
Filesize
256B
MD57fc27f0eb3c1ab6ef579f4ef0ac12774
SHA1d04c43eb42a01467e1bb8996de0160e959d50079
SHA256a0aca3e8c478cbe4fd866047007bab97099b03512841c67fd139df62e47d6f02
SHA512c7706b6ea625da5aa968f4be791127e1faea3a00f458052210158d685666241bc15175b55d14f569493026e7cdb8c36d0892e284e426125e45c9b77abed89379
-
Filesize
1KB
MD51d47e608ba041a2325a1eab479180bf4
SHA17316d2d1a0fc1ccd6d1d4530db63ca55167c16c0
SHA256843ad1039e884b2dc398b7db77ea920e7853b8490bf2960dbf14882729435899
SHA5123fae7d2409d8a2cad5f0370ac93a373d874d5a83d9692fb10012e4d587f9e77c1c25cfc55a2b18d39308ca734b385abe48f28411aa197126b8ed4b6264b35e15