Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 09:42
Behavioral task
behavioral1
Sample
d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe
-
Size
102KB
-
MD5
d60f8f55703f062edf65f86ab497d82b
-
SHA1
3f916d324d4e535d8c646093b7e67377b41e4bf8
-
SHA256
310889f9394bf282eb2ba6b9b35a0b7fdd26696bab528906f7bfc27b12759885
-
SHA512
4b75718cefc0f119522d93b871baa3fa30684725420caa23586cdeda909d9fc5a3dca6ae33e0367decd558850641a270deb12f7cff30e23163d6e81bcd732948
-
SSDEEP
3072:dquJJzb7fCLDilwA1K96YFAoutPdai7hRt:EuP+ewAK9xAoSPw0v
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1184-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1184-2-0x0000000000400000-0x0000000000436000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1384 msedge.exe 1384 msedge.exe 2932 msedge.exe 2932 msedge.exe 5104 identity_helper.exe 5104 identity_helper.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2932 1184 d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe 91 PID 1184 wrote to memory of 2932 1184 d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe 91 PID 2932 wrote to memory of 2972 2932 msedge.exe 92 PID 2932 wrote to memory of 2972 2932 msedge.exe 92 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1076 2932 msedge.exe 93 PID 2932 wrote to memory of 1384 2932 msedge.exe 94 PID 2932 wrote to memory of 1384 2932 msedge.exe 94 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95 PID 2932 wrote to memory of 2872 2932 msedge.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d60f8f55703f062edf65f86ab497d82b_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.citrixonline.com/failure.html?startMode=Join&theme=g2wus&locale=en_US&displayMode=Join&productName=g2m&cat=DLAppCommFailure2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7bd546f8,0x7ffa7bd54708,0x7ffa7bd547183⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:13⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:13⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:83⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:13⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:13⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:13⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:13⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:13⤵PID:708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:13⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1422425134759735206,17583271719566850135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5000 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1712
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
5KB
MD5dc3d58498e35b9d2154437ec1ad38924
SHA1eaa3e9b1285988b1cc675d9f9ce83fb6c2738436
SHA2560214b290c5d51de3db1b9dfbdf4fa08447a316c8c0fb520f4a4abcb0e2c56662
SHA5124baa3b1790fc510f7f7c893f263d61b7e49ff0a8f20818ed48be6eb33f4456e6ac3ca5d6275787e3ee2f5eb5f922e3fad4a200da73a4d71c3ceb0295b7ac490d
-
Filesize
6KB
MD5392021d7bf615d1d5cf63e09535adca8
SHA1f25e34e29d8dd0a17d953177003f6766362345d7
SHA2568d0c38c295457c86a3b958de86823081e27961b378582a79aa271de40d997c5e
SHA51271267f714ed05aea25dc3a40aa60dbc0fcf4a508717b5d0711365fd5231ad2286c721f6f51d2bc487898a1327b63c39e87433f65a61807f3133d32bbec4f575b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD500379bfca144c3805f4f073cba6b791f
SHA1e6750e49c9ec7ddec2b5f2c2ad1492a8eb73017c
SHA256b3b0aeaa1d55ca7ffc52ae53cc0e63ab908fdb393d2338e816d0d8cde234e8b7
SHA512ce367cc0bef975e2c095b3c0f49ac990a12d966a58f80df79162a5ea64639bfcc0d931dde6812dc8baca368a352a45b647a5feaa6f3de5dab75385986ec4d572