Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe
-
Size
548KB
-
MD5
cea2d53f3741c750f8da141ce3044b9c
-
SHA1
e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399
-
SHA256
059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3
-
SHA512
36067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615
-
SSDEEP
12288:e9dVKCxkIgeqXqXBb9P3BpcLLWW7HMwBIMQxlskGljE3af6EJ:yXKCFgeCqXBN3MswjQxkJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Against Down.lnk cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1848 PairBusy.exe 3920 PairBusy.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini PairBusy.exe File opened for modification C:\Windows\assembly\Desktop.ini PairBusy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1848 set thread context of 3920 1848 PairBusy.exe 102 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini PairBusy.exe File opened for modification C:\Windows\assembly PairBusy.exe File created C:\Windows\assembly\Desktop.ini PairBusy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PairBusy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PairBusy.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 PairBusy.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName PairBusy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1848 PairBusy.exe 1848 PairBusy.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3920 PairBusy.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 636 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe Token: SeDebugPrivilege 1848 PairBusy.exe Token: SeDebugPrivilege 3920 PairBusy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3920 PairBusy.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 636 wrote to memory of 1848 636 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 101 PID 636 wrote to memory of 1848 636 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 101 PID 636 wrote to memory of 1848 636 cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe 101 PID 1848 wrote to memory of 3920 1848 PairBusy.exe 102 PID 1848 wrote to memory of 3920 1848 PairBusy.exe 102 PID 1848 wrote to memory of 3920 1848 PairBusy.exe 102 PID 1848 wrote to memory of 3920 1848 PairBusy.exe 102 PID 1848 wrote to memory of 3920 1848 PairBusy.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3920
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:81⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
548KB
MD5cea2d53f3741c750f8da141ce3044b9c
SHA1e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399
SHA256059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3
SHA51236067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615
-
Filesize
1KB
MD5fa42e0a3b07c40519286b9c710afc66c
SHA1717acbf04062acaff961b625d3f36cbaef6c76f7
SHA256dc857407676edbf7e6b2422e833db8c1120e61f79e59c4b82d141de532e85cfa
SHA512add34498f32fbfb239bb1db6d548e66eee0b5d7a7874c4a24c3b969ac56c61e44e4136cf04828684173153913d621b3678b9ee97dfd0b3f8649595c300d9f87c