Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 18:57
Behavioral task
behavioral1
Sample
ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe
-
Size
3.9MB
-
MD5
ac2e9486891a355bd82a7b42ae2d2698
-
SHA1
93b992060c5e403fd0f7149cf7a0ff3471c5655e
-
SHA256
3d3cc1262b59e26741cb5b211ed8a4ab4c72fd84807d3b7644cace87212f6a6d
-
SHA512
63bdf6e28f9b745f83b2c744c177b72b4ac81888ff55a62d52fb511d421a0dba9805110681bc7d97b87e5613ffb2df461446e0c4ac66800ac12d466bfb8007e2
-
SSDEEP
98304:MaupM4eGzNn9OEa3aHJEu9Vj214BkilaVGre+gDvFxHJEu9Vj214BkilnNkUu+lb:+pM4eGhQVqphXNl4aGbphXNlNdu+X0XC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3376-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x000800000002342e-12.dat upx behavioral2/memory/4600-14-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 15 pastebin.com -
Program crash 19 IoCs
pid pid_target Process procid_target 4580 4600 WerFault.exe 87 4596 4600 WerFault.exe 87 1644 4600 WerFault.exe 87 3432 4600 WerFault.exe 87 2956 4600 WerFault.exe 87 3516 4600 WerFault.exe 87 5052 4600 WerFault.exe 87 3156 4600 WerFault.exe 87 464 4600 WerFault.exe 87 2612 4600 WerFault.exe 87 4656 4600 WerFault.exe 87 752 4600 WerFault.exe 87 2236 4600 WerFault.exe 87 2280 4600 WerFault.exe 87 4596 4600 WerFault.exe 87 3612 4600 WerFault.exe 87 5008 4600 WerFault.exe 87 4036 4600 WerFault.exe 87 4352 4600 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3376 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3376 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4600 3376 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 87 PID 3376 wrote to memory of 4600 3376 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 87 PID 3376 wrote to memory of 4600 3376 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 87 PID 4600 wrote to memory of 2600 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 88 PID 4600 wrote to memory of 2600 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 88 PID 4600 wrote to memory of 2600 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 88 PID 4600 wrote to memory of 3804 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 91 PID 4600 wrote to memory of 3804 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 91 PID 4600 wrote to memory of 3804 4600 ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe 91 PID 3804 wrote to memory of 3508 3804 cmd.exe 93 PID 3804 wrote to memory of 3508 3804 cmd.exe 93 PID 3804 wrote to memory of 3508 3804 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\ac2e9486891a355bd82a7b42ae2d2698_JaffaCakes118.exe" /TN RYTvY5fia886 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN RYTvY5fia886 > C:\Users\Admin\AppData\Local\Temp\nvVRz.xml3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN RYTvY5fia8864⤵
- System Location Discovery: System Language Discovery
PID:3508
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 6083⤵
- Program crash
PID:4580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 6323⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 6403⤵
- Program crash
PID:1644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 7163⤵
- Program crash
PID:3432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 7403⤵
- Program crash
PID:2956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 7963⤵
- Program crash
PID:3516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 14683⤵
- Program crash
PID:5052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15323⤵
- Program crash
PID:3156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 17443⤵
- Program crash
PID:464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15443⤵
- Program crash
PID:2612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15123⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15723⤵
- Program crash
PID:752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15683⤵
- Program crash
PID:2236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 17763⤵
- Program crash
PID:2280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 15283⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 18283⤵
- Program crash
PID:3612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 14603⤵
- Program crash
PID:5008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 16003⤵
- Program crash
PID:4036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 5603⤵
- Program crash
PID:4352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4600 -ip 46001⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4600 -ip 46001⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4600 -ip 46001⤵PID:2468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4600 -ip 46001⤵PID:1640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4600 -ip 46001⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4600 -ip 46001⤵PID:3184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4600 -ip 46001⤵PID:1164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4600 -ip 46001⤵PID:4308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4600 -ip 46001⤵PID:3316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4600 -ip 46001⤵PID:2132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4600 -ip 46001⤵PID:3508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4600 -ip 46001⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4600 -ip 46001⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4600 -ip 46001⤵PID:1532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4600 -ip 46001⤵PID:3736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4600 -ip 46001⤵PID:784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4600 -ip 46001⤵PID:4516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4600 -ip 46001⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4600 -ip 46001⤵PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5d66a9b3062e07c2104506fa31fddd8d0
SHA138aca82e930096ebed93581762a53a6bd4455ea4
SHA2565a677607f7ca399d2cf643456ea93c7f494add2cdcf6747386fda3fcfa33da21
SHA512e895d3ccb15ed47484fbeaf2246e411855618f03956175c871d0f6ba0e3ec4580c13fe7294c0c4a934092476ce271ad5274eccf9ba1487ef6141834ea8c76a70
-
Filesize
1KB
MD5d52b7793f599bd9978868cea0fca2fc8
SHA15d059e5d6dd11a0f25b59dd071f30bf32deb3896
SHA256c1f75e78b350c43e388b74d3a5d48e998e435b2a238bd050cdde655780b839a9
SHA5126050c5c87b2d07a7d624f770997c874561d018ae5e182b75fe8ce087676f7090897c34acdaca58383124f45cb405130312a483a13193faaaa48bf7d48a82ac44