Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe
-
Size
364KB
-
MD5
b596f3053aa0ee17ac014f793f986f76
-
SHA1
950c7f8f7b9c906d7e894243bce7973a1f26bbd4
-
SHA256
fa7b9285252fa6eb2d426c5d26ec79993ba08f2aeb30b919c806d2a73251e3f1
-
SHA512
610ebf5920c07d350b06cba4d348479ea34ad277864df03c8c0bb43d3a3af0394028eaa92ec0f3991511fc4140576f6ccf01b3200dd5a189e92edcb847476fb3
-
SSDEEP
6144:Kyxa+dYaWA5sjXjsXumqkzcwvgXbqzTtEk/reQpvsdf7Mzjtt6bq2EHkcwoVERU:TxzvG0Skz5vZfakLvsdf6zAxRU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3236 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows defender1 = "C:\\Users\\Admin\\AppData\\Roaming\\windows defender1\\windows defender1.exe" b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows defender1 = "C:\\Users\\Admin\\AppData\\Roaming\\windows defender1\\windows defender1.exe" b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4564 set thread context of 3236 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 2508 3236 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4564 wrote to memory of 3768 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 86 PID 4564 wrote to memory of 3768 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 86 PID 4564 wrote to memory of 3768 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 86 PID 3768 wrote to memory of 3564 3768 csc.exe 89 PID 3768 wrote to memory of 3564 3768 csc.exe 89 PID 3768 wrote to memory of 3564 3768 csc.exe 89 PID 4564 wrote to memory of 3236 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 90 PID 4564 wrote to memory of 3236 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 90 PID 4564 wrote to memory of 3236 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 90 PID 4564 wrote to memory of 3236 4564 b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgv3punb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9ED1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9ED0.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
-
C:\Users\Admin\AppData\Roaming\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exeC:\Users\Admin\AppData\Roaming\b596f3053aa0ee17ac014f793f986f76_JaffaCakes118.exe2⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 123⤵
- Program crash
PID:2508
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3236 -ip 32361⤵PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55203bdbe46468eb0040bc949aa7c6cb6
SHA192d9f48f15e020ac1b52abb0099b84a329741b81
SHA2560152fae89a9ae83f46cf076d728e77b026bfca618b582d507e3ea345d8b86f2a
SHA51257516fdabeb87bfcaf10213282a3376785b600552fb7fee55198d67bc3f27d1ac18a2080963dd0842a2d192778aec9156cd054aa5b3026a54c46d8d2cf29c235
-
Filesize
5KB
MD5ce23297781b2572f84c10b626687e45c
SHA18dad37ebc8e112e61d03d90f09b58528b08619b3
SHA256bea66af03a79492c54431d280ac0aa67b91b57d5dd88bd0b62c1ccccfe7a8bbb
SHA512bab6645ce17d60d948087c6c7ec7495de09e6380278fa4fdc3fb575df79a7591169849c44dd9bcff84a8e1d0a69cc8db228a27f1517334cbe5aad7e623cb1a58
-
Filesize
6KB
MD5d89fdbb4172cee2b2f41033e62c677d6
SHA1c1917b579551f0915f1a0a8e8e3c7a6809284e6b
SHA2562cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383
SHA51248941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed
-
Filesize
652B
MD5c98a4e4ca4f5a16bf124dacea36d4f59
SHA1dbc8bc9b177f7c47ac52430e5991bac5eb33916f
SHA25617db58c7a7c7e765566808a6d10a6c09172a5b6ecf307fc07a727be8a6703a1d
SHA512765c4e71055a50cc53e6f85e13cd9318c4869e0495af22c9dcce861bbaaa641849d9f022ea153e38d2425d0d38915ff074f4b1aadf030a4495929e16dc804bde
-
Filesize
5KB
MD5cb25540570735d26bf391e8b54579396
SHA1135651d49409214d21348bb879f7973384a7a8cb
SHA256922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743
SHA512553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080
-
Filesize
206B
MD5697aad8ac3ecfa1cb0ca8c5247ae7c3b
SHA170ccc253297f3cb0f1fbba0b99703ef4d8ac142f
SHA256a824b78f46e4e49777066251390204aadd3943b165221f0c4f79c56840730d88
SHA512aee2d88a04176fc559e7d310bf2f64b7a98fa4c8963c4a127e2581eab3b6b3c285eda6e92f4d96453fbcc18596ebbba6a32935339c40511a190342ab189f328f