Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe
-
Size
26KB
-
MD5
c7bb72d4945c3d45c908e3f4ebd61b9a
-
SHA1
6a05822ab93a5c6528ae606c64c585b51318e0d7
-
SHA256
ae65b4b0331cd211d405f4fc23305da7003f587e8b0881a5ba2cbd7d54f89ed2
-
SHA512
6dcc01e026f0e82089a4334e0447a028a997b543c63e61eb1c969d9b2bec7e1a92f2fc27a51ec7f0caebd76f7d442d91f44baaba6ab749979b8c5ac57ba6c030
-
SSDEEP
768:Hoz+YMpjNqAPA0qd5mx/qSloSTi/pu30AYmmAb3le:HozxENbpNdqSlbTi/Khs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1364 9129837.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe" c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool = "C:\\Windows\\9129837.exe" 9129837.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\9129837.exe c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe File opened for modification C:\Windows\9129837.exe c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe File created C:\Windows\new_drv.sys 9129837.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9129837.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1364 9129837.exe 1364 9129837.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 680 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe Token: SeDebugPrivilege 1364 9129837.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 1364 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 84 PID 5080 wrote to memory of 1364 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 84 PID 5080 wrote to memory of 1364 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 84 PID 5080 wrote to memory of 4464 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 85 PID 5080 wrote to memory of 4464 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 85 PID 5080 wrote to memory of 4464 5080 c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe 85 PID 1364 wrote to memory of 636 1364 9129837.exe 5 PID 1364 wrote to memory of 696 1364 9129837.exe 7 PID 1364 wrote to memory of 808 1364 9129837.exe 8 PID 1364 wrote to memory of 812 1364 9129837.exe 9 PID 1364 wrote to memory of 824 1364 9129837.exe 10 PID 1364 wrote to memory of 932 1364 9129837.exe 11 PID 1364 wrote to memory of 976 1364 9129837.exe 12 PID 1364 wrote to memory of 412 1364 9129837.exe 13 PID 1364 wrote to memory of 760 1364 9129837.exe 14 PID 1364 wrote to memory of 1020 1364 9129837.exe 15 PID 1364 wrote to memory of 780 1364 9129837.exe 16 PID 1364 wrote to memory of 1148 1364 9129837.exe 17 PID 1364 wrote to memory of 1156 1364 9129837.exe 18 PID 1364 wrote to memory of 1164 1364 9129837.exe 19 PID 1364 wrote to memory of 1176 1364 9129837.exe 20 PID 1364 wrote to memory of 1248 1364 9129837.exe 21 PID 1364 wrote to memory of 1304 1364 9129837.exe 22 PID 1364 wrote to memory of 1368 1364 9129837.exe 23 PID 1364 wrote to memory of 1420 1364 9129837.exe 24 PID 1364 wrote to memory of 1436 1364 9129837.exe 25 PID 1364 wrote to memory of 1608 1364 9129837.exe 26 PID 1364 wrote to memory of 1616 1364 9129837.exe 27 PID 1364 wrote to memory of 1640 1364 9129837.exe 28 PID 1364 wrote to memory of 1728 1364 9129837.exe 29 PID 1364 wrote to memory of 1768 1364 9129837.exe 30 PID 1364 wrote to memory of 1776 1364 9129837.exe 31 PID 1364 wrote to memory of 1848 1364 9129837.exe 32 PID 1364 wrote to memory of 1964 1364 9129837.exe 33 PID 1364 wrote to memory of 1972 1364 9129837.exe 34 PID 1364 wrote to memory of 1984 1364 9129837.exe 35 PID 1364 wrote to memory of 1676 1364 9129837.exe 36 PID 1364 wrote to memory of 2072 1364 9129837.exe 37 PID 1364 wrote to memory of 2096 1364 9129837.exe 38 PID 1364 wrote to memory of 2148 1364 9129837.exe 39 PID 1364 wrote to memory of 2232 1364 9129837.exe 40 PID 1364 wrote to memory of 2344 1364 9129837.exe 41 PID 1364 wrote to memory of 2488 1364 9129837.exe 42 PID 1364 wrote to memory of 2496 1364 9129837.exe 43 PID 1364 wrote to memory of 2600 1364 9129837.exe 44 PID 1364 wrote to memory of 2660 1364 9129837.exe 45 PID 1364 wrote to memory of 2780 1364 9129837.exe 46 PID 1364 wrote to memory of 2812 1364 9129837.exe 47 PID 1364 wrote to memory of 2856 1364 9129837.exe 48 PID 1364 wrote to memory of 2868 1364 9129837.exe 49 PID 1364 wrote to memory of 2876 1364 9129837.exe 50 PID 1364 wrote to memory of 2896 1364 9129837.exe 51 PID 1364 wrote to memory of 2912 1364 9129837.exe 52 PID 1364 wrote to memory of 3120 1364 9129837.exe 53 PID 1364 wrote to memory of 3460 1364 9129837.exe 55 PID 1364 wrote to memory of 3580 1364 9129837.exe 56 PID 1364 wrote to memory of 3696 1364 9129837.exe 57 PID 1364 wrote to memory of 3892 1364 9129837.exe 58 PID 1364 wrote to memory of 3984 1364 9129837.exe 59 PID 1364 wrote to memory of 4044 1364 9129837.exe 60 PID 1364 wrote to memory of 704 1364 9129837.exe 61 PID 1364 wrote to memory of 4200 1364 9129837.exe 62 PID 1364 wrote to memory of 4860 1364 9129837.exe 65 PID 1364 wrote to memory of 1108 1364 9129837.exe 66
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:812
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:412
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:696
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:824
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3120
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3892
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3984
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4044
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:704
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4200
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4512
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3804
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:4760
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3324
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:4028
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1020
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1148
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1164
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2812
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:2960
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1176
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1420
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2600
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1972
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2072
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2856
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3460
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\9129837.exe"C:\Windows\9129837.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abcdefg.bat" "C:\Users\Admin\AppData\Local\Temp\c7bb72d4945c3d45c908e3f4ebd61b9a_JaffaCakes118.exe""3⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3632
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4860
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2936
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:832
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20240828-2207.dmp1⤵PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80B
MD53c2c2719c39678a7ef5013eb16b6f6ef
SHA1323dfea7b524e2781dc2a4584a72a22981eee9a0
SHA2569356b2010f4fca9a15ea990821154c5b8a87ffe472741ad089d08c746df218d5
SHA51247174f9a28ab1309b31c71b11742c0d055a3319e485a44d62452a58fc4af67740d8342552862977b51e79da562f90d92d1b9c9dbbb14e7f2369cbe67133ba71c
-
Filesize
26KB
MD5c7bb72d4945c3d45c908e3f4ebd61b9a
SHA16a05822ab93a5c6528ae606c64c585b51318e0d7
SHA256ae65b4b0331cd211d405f4fc23305da7003f587e8b0881a5ba2cbd7d54f89ed2
SHA5126dcc01e026f0e82089a4334e0447a028a997b543c63e61eb1c969d9b2bec7e1a92f2fc27a51ec7f0caebd76f7d442d91f44baaba6ab749979b8c5ac57ba6c030