Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 13:26 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe
-
Size
833KB
-
MD5
d208ad20d240b437f84f6df7c87caee7
-
SHA1
b595aff2cada2868a99e9df7d2856362c955d4dd
-
SHA256
ab5ee538853974ccb6bc195c9488578f1217c05a6f2246bbda2304d9d2bc8a09
-
SHA512
43e22060459bfe329860dadd3f4c45a040b4e07dc5442336991ccdbf9fa40e23e03248af851e03f9a400b8d1bb303c7d32f11775abec80cd03e4d22a0af06396
-
SSDEEP
24576:tTEviA7EjZtXFiB8ziZfDGHbwA/MDBb+oxRXWZ:6H74XFiBEsfD65/Mtb+SRXWZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\scost.exe" d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3604 scost.exe 1584 scost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scost.exe = "C:\\Users\\Admin\\Documents\\MSDCSC\\scost.exe" d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\scost.exe = "C:\\Users\\Admin\\Documents\\MSDCSC\\scost.exe" scost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1432 set thread context of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 3604 set thread context of 1584 3604 scost.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeSecurityPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeSystemtimePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeBackupPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeRestorePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeShutdownPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeDebugPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeUndockPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeManageVolumePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeImpersonatePrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: 33 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: 34 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: 35 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: 36 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1584 scost.exe Token: SeSecurityPrivilege 1584 scost.exe Token: SeTakeOwnershipPrivilege 1584 scost.exe Token: SeLoadDriverPrivilege 1584 scost.exe Token: SeSystemProfilePrivilege 1584 scost.exe Token: SeSystemtimePrivilege 1584 scost.exe Token: SeProfSingleProcessPrivilege 1584 scost.exe Token: SeIncBasePriorityPrivilege 1584 scost.exe Token: SeCreatePagefilePrivilege 1584 scost.exe Token: SeBackupPrivilege 1584 scost.exe Token: SeRestorePrivilege 1584 scost.exe Token: SeShutdownPrivilege 1584 scost.exe Token: SeDebugPrivilege 1584 scost.exe Token: SeSystemEnvironmentPrivilege 1584 scost.exe Token: SeChangeNotifyPrivilege 1584 scost.exe Token: SeRemoteShutdownPrivilege 1584 scost.exe Token: SeUndockPrivilege 1584 scost.exe Token: SeManageVolumePrivilege 1584 scost.exe Token: SeImpersonatePrivilege 1584 scost.exe Token: SeCreateGlobalPrivilege 1584 scost.exe Token: 33 1584 scost.exe Token: 34 1584 scost.exe Token: 35 1584 scost.exe Token: 36 1584 scost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 3604 scost.exe 1584 scost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1432 wrote to memory of 1328 1432 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 86 PID 1328 wrote to memory of 3604 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 89 PID 1328 wrote to memory of 3604 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 89 PID 1328 wrote to memory of 3604 1328 d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe 89 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90 PID 3604 wrote to memory of 1584 3604 scost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d208ad20d240b437f84f6df7c87caee7_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\Documents\MSDCSC\scost.exe"C:\Users\Admin\Documents\MSDCSC\scost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\Documents\MSDCSC\scost.exe"C:\Users\Admin\Documents\MSDCSC\scost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1584
-
-
-
Network
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN A
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN A
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN AResponse
-
Remote address:8.8.8.8:53RequestRelbel.no-ip.bizIN A
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
124 B 122 B 2 1
DNS Request
Relbel.no-ip.biz
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
124 B 122 B 2 1
DNS Request
Relbel.no-ip.biz
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
62 B 122 B 1 1
DNS Request
Relbel.no-ip.biz
-
124 B 122 B 2 1
DNS Request
Relbel.no-ip.biz
DNS Request
Relbel.no-ip.biz
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
833KB
MD5d208ad20d240b437f84f6df7c87caee7
SHA1b595aff2cada2868a99e9df7d2856362c955d4dd
SHA256ab5ee538853974ccb6bc195c9488578f1217c05a6f2246bbda2304d9d2bc8a09
SHA51243e22060459bfe329860dadd3f4c45a040b4e07dc5442336991ccdbf9fa40e23e03248af851e03f9a400b8d1bb303c7d32f11775abec80cd03e4d22a0af06396