Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
cf561040aabd774294335baec2e9ea00
-
SHA1
356cdf6eb0e727cda63547bc110d2f3a2a7fae0f
-
SHA256
3e7f821b5386fc8b6983811a9c9e969ddb15b567969f203fda5617553575fe00
-
SHA512
483f0f1c3a8d981a443a31e287d7596d6ec9fef44641dc9c9c887b1d6d29cb05a7620f6b5cad36180bb64ed6f5e3cab22a32e912c9b136569e700031874e2e57
-
SSDEEP
49152:yiqXjFPE6KQaqz5HgrqhPLKqXZj8wTbDyhsotbgJSg79g3Ze7:yzzFM7q1Hg2hP2ofo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4916 svchost_ms.exe 2296 svchost_ms.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost_ms.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost_ms.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe File opened for modification C:\Program Files (x86)\SmartData\performer.exe svchost_ms.exe File created C:\Program Files (x86)\SmartData\svchost_ms.exe cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SmartData\svchost_ms.exe cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost_ms.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost_ms.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost_ms.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost_ms.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost_ms.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4460 cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe 4460 cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe 2296 svchost_ms.exe 2296 svchost_ms.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 2296 svchost_ms.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4460 wrote to memory of 3512 4460 cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe 88 PID 4460 wrote to memory of 3512 4460 cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe 88 PID 4460 wrote to memory of 3512 4460 cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe 88 PID 3512 wrote to memory of 728 3512 cmd.exe 90 PID 3512 wrote to memory of 728 3512 cmd.exe 90 PID 3512 wrote to memory of 728 3512 cmd.exe 90 PID 3512 wrote to memory of 4916 3512 cmd.exe 93 PID 3512 wrote to memory of 4916 3512 cmd.exe 93 PID 3512 wrote to memory of 4916 3512 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cf561040aabd774294335baec2e9ea00_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /S /C choice /C Y /N /D Y /T 3 & "C:\Program Files (x86)\SmartData\svchost_ms.exe" /start2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
PID:728
-
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /start3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916
-
-
-
C:\Program Files (x86)\SmartData\svchost_ms.exe"C:\Program Files (x86)\SmartData\svchost_ms.exe" /srv1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5cf561040aabd774294335baec2e9ea00
SHA1356cdf6eb0e727cda63547bc110d2f3a2a7fae0f
SHA2563e7f821b5386fc8b6983811a9c9e969ddb15b567969f203fda5617553575fe00
SHA512483f0f1c3a8d981a443a31e287d7596d6ec9fef44641dc9c9c887b1d6d29cb05a7620f6b5cad36180bb64ed6f5e3cab22a32e912c9b136569e700031874e2e57