Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
5s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 00:16
Behavioral task
behavioral1
Sample
cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe
-
Size
55KB
-
MD5
cddd2be456bafd92c35be93a04ec9bcf
-
SHA1
bfdbd7fc32e484f9de68167e2c9eee1badeaecf2
-
SHA256
19db486122397a33896897e249034c7f9fdf4e967c9aa2942b39c22927a076e4
-
SHA512
d40cdcee0797fb39c04c9417b0b71c1fadb3887ecd0fc7f0e7450269c3ed35d35649376c44cb07654e2530c1224348b51eac81cf71d3f4d407004ff1285295a7
-
SSDEEP
1536:NPKDseV2udPipzVpQMHR3IW+bJ2qFtPj:c8udKpzVpQMHSp2Ut
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/464-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/464-28-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11494171422 = "C:\\Users\\Admin\\1149417142\\1149417142.EXE" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\1149417142_del = "cmd.exe /c dEl \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe\"" reg.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 768 shutdown.exe Token: SeRemoteShutdownPrivilege 768 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2172 LogonUI.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 464 wrote to memory of 4244 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 85 PID 464 wrote to memory of 4244 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 85 PID 464 wrote to memory of 4244 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 85 PID 464 wrote to memory of 2456 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 87 PID 464 wrote to memory of 2456 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 87 PID 464 wrote to memory of 2456 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 87 PID 464 wrote to memory of 1436 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 88 PID 464 wrote to memory of 1436 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 88 PID 464 wrote to memory of 1436 464 cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe 88 PID 4244 wrote to memory of 3680 4244 cmd.exe 91 PID 4244 wrote to memory of 3680 4244 cmd.exe 91 PID 4244 wrote to memory of 3680 4244 cmd.exe 91 PID 2456 wrote to memory of 1816 2456 cmd.exe 92 PID 2456 wrote to memory of 1816 2456 cmd.exe 92 PID 2456 wrote to memory of 1816 2456 cmd.exe 92 PID 1436 wrote to memory of 768 1436 cmd.exe 93 PID 1436 wrote to memory of 768 1436 cmd.exe 93 PID 1436 wrote to memory of 768 1436 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reG AdD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v 11494171422 /t REG_SZ /d "C:\Users\Admin\1149417142\1149417142.EXE" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\reg.exereG AdD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v 11494171422 /t REG_SZ /d "C:\Users\Admin\1149417142\1149417142.EXE" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 1149417142_del /D "cmd.exe /c dEl \"C:\Users\Admin\AppData\Local\Temp\cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 1149417142_del /D "cmd.exe /c dEl \"C:\Users\Admin\AppData\Local\Temp\cddd2be456bafd92c35be93a04ec9bcf_JaffaCakes118.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c w.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r /f /t 03⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa398e055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024B
MD5d373cbe9c2434c60dc8bc9f89ac92f85
SHA10248c8aa1be5757e49570e4fcf73397d6be53833
SHA25619e4f1eb69c2b59ca2aaae1e8888a518ca64a0c59ad4b6402fc6e692ea0736d4
SHA5126d7a800920a5647388c3e30904d1ed984ec2ed2ba154e90ca617cdfd83285c8ec194b5f50a1cef50fbc54896a2bdb47ff7458d9dcbe2d1ab373bc1bc65c8ae52