Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 01:30
Static task
static1
Behavioral task
behavioral1
Sample
ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
CabDLL.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
CabDLL.dll
Resource
win10v2004-20240802-en
General
-
Target
ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe
-
Size
238KB
-
MD5
ce5756683b503f60043e9ea19aa39c52
-
SHA1
0b20f56d4c63da80d32b9843874fcf14e9a31701
-
SHA256
4702f86e3fdf18126b88c87b32cfba3f608df4770d51b559270b554d30704756
-
SHA512
0ad3e86eca897c9df2c1271c5b561341b6b12707f12a126ef2de06686316db066c89f60b677673f2eb89f5b8e7403004104b9be1e00b54f1d4bf7c8cc911d9c6
-
SSDEEP
3072:YNdm6/Xbi5XJCO45TLojaiyxWWWqS4FYoc9/X0+s3PAENwAuHxBXaI0ZRNWsIV5G:Yn/L+VEL2+3S4WPubomlu7aIZsc03
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 1544 1504 mshta.exe 1546 1504 mshta.exe 1548 1504 mshta.exe -
Contacts a large (518) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid Process 1508 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpF853.bmp" ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\requirements ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 540 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 2896 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 540 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2560 WMIC.exe Token: SeSecurityPrivilege 2560 WMIC.exe Token: SeTakeOwnershipPrivilege 2560 WMIC.exe Token: SeLoadDriverPrivilege 2560 WMIC.exe Token: SeSystemProfilePrivilege 2560 WMIC.exe Token: SeSystemtimePrivilege 2560 WMIC.exe Token: SeProfSingleProcessPrivilege 2560 WMIC.exe Token: SeIncBasePriorityPrivilege 2560 WMIC.exe Token: SeCreatePagefilePrivilege 2560 WMIC.exe Token: SeBackupPrivilege 2560 WMIC.exe Token: SeRestorePrivilege 2560 WMIC.exe Token: SeShutdownPrivilege 2560 WMIC.exe Token: SeDebugPrivilege 2560 WMIC.exe Token: SeSystemEnvironmentPrivilege 2560 WMIC.exe Token: SeRemoteShutdownPrivilege 2560 WMIC.exe Token: SeUndockPrivilege 2560 WMIC.exe Token: SeManageVolumePrivilege 2560 WMIC.exe Token: 33 2560 WMIC.exe Token: 34 2560 WMIC.exe Token: 35 2560 WMIC.exe Token: SeIncreaseQuotaPrivilege 2560 WMIC.exe Token: SeSecurityPrivilege 2560 WMIC.exe Token: SeTakeOwnershipPrivilege 2560 WMIC.exe Token: SeLoadDriverPrivilege 2560 WMIC.exe Token: SeSystemProfilePrivilege 2560 WMIC.exe Token: SeSystemtimePrivilege 2560 WMIC.exe Token: SeProfSingleProcessPrivilege 2560 WMIC.exe Token: SeIncBasePriorityPrivilege 2560 WMIC.exe Token: SeCreatePagefilePrivilege 2560 WMIC.exe Token: SeBackupPrivilege 2560 WMIC.exe Token: SeRestorePrivilege 2560 WMIC.exe Token: SeShutdownPrivilege 2560 WMIC.exe Token: SeDebugPrivilege 2560 WMIC.exe Token: SeSystemEnvironmentPrivilege 2560 WMIC.exe Token: SeRemoteShutdownPrivilege 2560 WMIC.exe Token: SeUndockPrivilege 2560 WMIC.exe Token: SeManageVolumePrivilege 2560 WMIC.exe Token: 33 2560 WMIC.exe Token: 34 2560 WMIC.exe Token: 35 2560 WMIC.exe Token: SeBackupPrivilege 1256 vssvc.exe Token: SeRestorePrivilege 1256 vssvc.exe Token: SeAuditPrivilege 1256 vssvc.exe Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: 33 1580 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1580 AUDIODG.EXE Token: SeDebugPrivilege 2896 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1504 mshta.exe 1504 mshta.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2612 2232 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 31 PID 2612 wrote to memory of 2500 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 32 PID 2612 wrote to memory of 2500 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 32 PID 2612 wrote to memory of 2500 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 32 PID 2612 wrote to memory of 2500 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 32 PID 2500 wrote to memory of 2560 2500 cmd.exe 34 PID 2500 wrote to memory of 2560 2500 cmd.exe 34 PID 2500 wrote to memory of 2560 2500 cmd.exe 34 PID 2612 wrote to memory of 1504 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 41 PID 2612 wrote to memory of 1504 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 41 PID 2612 wrote to memory of 1504 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 41 PID 2612 wrote to memory of 1504 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 41 PID 2612 wrote to memory of 1508 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 42 PID 2612 wrote to memory of 1508 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 42 PID 2612 wrote to memory of 1508 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 42 PID 2612 wrote to memory of 1508 2612 ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe 42 PID 1508 wrote to memory of 2896 1508 cmd.exe 44 PID 1508 wrote to memory of 2896 1508 cmd.exe 44 PID 1508 wrote to memory of 2896 1508 cmd.exe 44 PID 1508 wrote to memory of 540 1508 cmd.exe 45 PID 1508 wrote to memory of 540 1508 cmd.exe 45 PID 1508 wrote to memory of 540 1508 cmd.exe 45 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\taskkill.exetaskkill /f /im "ce5756683b503f60043e9ea19aa39c52_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2908
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xdc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD546187f022d4bf949cb234fc45b03cced
SHA1923a7a6d9bfa82fe57f6eeed4f6cafe57d2ad212
SHA256cb5925584e777d49dc6581667a40e406ac93fda08456b0d1dfc59bad891b740f
SHA5127e186f08447709efafd8d05c21dc4895a16350c553f2b3cc1da90a00e878ac0ddeba39d6a2f7271b846d296f3d08b593ae4c1de65b46ec47ab13a38bf9923489
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
Filesize
11KB
MD5926df996160c4bc6044491b5d5f99f45
SHA115bbe6be9ce3686cbcd54ab0c7d159b42e8ff562
SHA256c06376ed1ca188ef70c09fcf83d7ed97e2775730f2c8d9cd0c6090844795eff5
SHA512fb85e4cb356d3854aaee71514ae20e8fa0684011ce9820ec24885370b1b16d6490a4aa3500bc493c5b6e60e6949358fc5a5ba2130e5600b666d937b146d0c1ef