Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
-
Size
704KB
-
MD5
b7740b80e7e55c51122870c5b9bcc743
-
SHA1
2047d1d0910dadfbc163f09192ffdb8bc8c1717e
-
SHA256
2c04ee4cb87e9e0997b7572c12d34281375947f56927b766bf4ac25775521aac
-
SHA512
98685f155e4ddf37bc49625b20fdc85a78f658b6ffd6300dc3ef3780e5171bde51e70ab2714e1b90972f2d4989661bf2af49a6b2e07fb13e1434bde6436c3414
-
SSDEEP
12288:6qEqoY9oQsxB5FAYxl4hskilwg84Qx5guzunXMKobsETrKjMU4xO7KjMU4xO:6ZqRPsvchskilwgiMnXMRsQKjYQKjY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1952 ivfdc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Qjc3NDBCODBFN0U1NUM1MT = "C:\\Users\\Admin\\ivfdc.exe" ivfdc.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivfdc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ivfdc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ivfdc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe 1952 ivfdc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 656 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 656 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Token: SeDebugPrivilege 1952 ivfdc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 656 wrote to memory of 1952 656 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 90 PID 656 wrote to memory of 1952 656 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 90 PID 656 wrote to memory of 1952 656 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\ivfdc.exe"C:\Users\Admin\ivfdc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5b7740b80e7e55c51122870c5b9bcc743
SHA12047d1d0910dadfbc163f09192ffdb8bc8c1717e
SHA2562c04ee4cb87e9e0997b7572c12d34281375947f56927b766bf4ac25775521aac
SHA51298685f155e4ddf37bc49625b20fdc85a78f658b6ffd6300dc3ef3780e5171bde51e70ab2714e1b90972f2d4989661bf2af49a6b2e07fb13e1434bde6436c3414