Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe
-
Size
58KB
-
MD5
bffbdcb242d02f3e06a42d4683c01333
-
SHA1
73455874e31abd2f6691b3ddd548d3a98f459946
-
SHA256
22360041c4371f5fe11533c3ca81ab454efc98fc14701c5984fef08109fa4e4a
-
SHA512
7fa5d07284ce7b0b7254d1a8f8321678d5286fe24795c9897abbc6b69bbbc0921b81c039a636e6f226691d42143b8bc94dc7314a1daa5c53bdc5a3dcfb330333
-
SSDEEP
1536:mgugB5SgUYjArwb78oPqDVKpVTwmBLJnMmecFnC9q:mguWYdrwbxPaKp9wmBLJnMdkmq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3240 9129837.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe" bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe" 9129837.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\9129837.exe bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe File opened for modification C:\Windows\9129837.exe bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe File created C:\Windows\new_drv.sys 9129837.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9129837.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3240 9129837.exe 3240 9129837.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe Token: SeDebugPrivilege 3240 9129837.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3240 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 87 PID 4076 wrote to memory of 3240 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 87 PID 4076 wrote to memory of 3240 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 87 PID 4076 wrote to memory of 3936 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 88 PID 4076 wrote to memory of 3936 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 88 PID 4076 wrote to memory of 3936 4076 bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe 88 PID 3240 wrote to memory of 612 3240 9129837.exe 5 PID 3240 wrote to memory of 672 3240 9129837.exe 7 PID 3240 wrote to memory of 784 3240 9129837.exe 8 PID 3240 wrote to memory of 792 3240 9129837.exe 9 PID 3240 wrote to memory of 804 3240 9129837.exe 10 PID 3240 wrote to memory of 916 3240 9129837.exe 11 PID 3240 wrote to memory of 968 3240 9129837.exe 12 PID 3240 wrote to memory of 376 3240 9129837.exe 13 PID 3240 wrote to memory of 516 3240 9129837.exe 14 PID 3240 wrote to memory of 932 3240 9129837.exe 15 PID 3240 wrote to memory of 1096 3240 9129837.exe 16 PID 3240 wrote to memory of 1104 3240 9129837.exe 17 PID 3240 wrote to memory of 1128 3240 9129837.exe 18 PID 3240 wrote to memory of 1160 3240 9129837.exe 19 PID 3240 wrote to memory of 1168 3240 9129837.exe 20 PID 3240 wrote to memory of 1180 3240 9129837.exe 21 PID 3240 wrote to memory of 1268 3240 9129837.exe 22 PID 3240 wrote to memory of 1316 3240 9129837.exe 23 PID 3240 wrote to memory of 1424 3240 9129837.exe 24 PID 3240 wrote to memory of 1460 3240 9129837.exe 25 PID 3240 wrote to memory of 1568 3240 9129837.exe 26 PID 3240 wrote to memory of 1576 3240 9129837.exe 27 PID 3240 wrote to memory of 1636 3240 9129837.exe 28 PID 3240 wrote to memory of 1716 3240 9129837.exe 29 PID 3240 wrote to memory of 1752 3240 9129837.exe 30 PID 3240 wrote to memory of 1764 3240 9129837.exe 31 PID 3240 wrote to memory of 1864 3240 9129837.exe 32 PID 3240 wrote to memory of 2000 3240 9129837.exe 33 PID 3240 wrote to memory of 2008 3240 9129837.exe 34 PID 3240 wrote to memory of 2028 3240 9129837.exe 35 PID 3240 wrote to memory of 1672 3240 9129837.exe 36 PID 3240 wrote to memory of 1800 3240 9129837.exe 37 PID 3240 wrote to memory of 2132 3240 9129837.exe 38 PID 3240 wrote to memory of 2156 3240 9129837.exe 39 PID 3240 wrote to memory of 2216 3240 9129837.exe 40 PID 3240 wrote to memory of 2372 3240 9129837.exe 41 PID 3240 wrote to memory of 2544 3240 9129837.exe 42 PID 3240 wrote to memory of 2548 3240 9129837.exe 43 PID 3240 wrote to memory of 2672 3240 9129837.exe 44 PID 3240 wrote to memory of 2688 3240 9129837.exe 45 PID 3240 wrote to memory of 2784 3240 9129837.exe 46 PID 3240 wrote to memory of 2804 3240 9129837.exe 47 PID 3240 wrote to memory of 2856 3240 9129837.exe 48 PID 3240 wrote to memory of 2872 3240 9129837.exe 49 PID 3240 wrote to memory of 2896 3240 9129837.exe 50 PID 3240 wrote to memory of 2904 3240 9129837.exe 51 PID 3240 wrote to memory of 2960 3240 9129837.exe 52 PID 3240 wrote to memory of 2600 3240 9129837.exe 53 PID 3240 wrote to memory of 3464 3240 9129837.exe 55 PID 3240 wrote to memory of 3552 3240 9129837.exe 56 PID 3240 wrote to memory of 3688 3240 9129837.exe 57 PID 3240 wrote to memory of 3872 3240 9129837.exe 58 PID 3240 wrote to memory of 3964 3240 9129837.exe 59 PID 3240 wrote to memory of 4028 3240 9129837.exe 60 PID 3240 wrote to memory of 704 3240 9129837.exe 61 PID 3240 wrote to memory of 3796 3240 9129837.exe 62 PID 3240 wrote to memory of 1028 3240 9129837.exe 65 PID 3240 wrote to memory of 4120 3240 9129837.exe 67
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:376
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:804
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2600
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3872
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3964
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4028
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:704
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3796
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3720
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4088
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:1500
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:464
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3864
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:3032
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3576
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1104
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2804
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1316
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2688
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1800
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2856
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3464
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\9129837.exe"C:\Windows\9129837.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcdefg.bat" "C:\Users\Admin\AppData\Local\Temp\bffbdcb242d02f3e06a42d4683c01333_JaffaCakes118.exe""3⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4760
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2940
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3360
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240825-0453.dmp1⤵PID:4752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80B
MD53c2c2719c39678a7ef5013eb16b6f6ef
SHA1323dfea7b524e2781dc2a4584a72a22981eee9a0
SHA2569356b2010f4fca9a15ea990821154c5b8a87ffe472741ad089d08c746df218d5
SHA51247174f9a28ab1309b31c71b11742c0d055a3319e485a44d62452a58fc4af67740d8342552862977b51e79da562f90d92d1b9c9dbbb14e7f2369cbe67133ba71c
-
Filesize
58KB
MD5bffbdcb242d02f3e06a42d4683c01333
SHA173455874e31abd2f6691b3ddd548d3a98f459946
SHA25622360041c4371f5fe11533c3ca81ab454efc98fc14701c5984fef08109fa4e4a
SHA5127fa5d07284ce7b0b7254d1a8f8321678d5286fe24795c9897abbc6b69bbbc0921b81c039a636e6f226691d42143b8bc94dc7314a1daa5c53bdc5a3dcfb330333