Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe
-
Size
115KB
-
MD5
daa6da3107d7cd06c10c71b368023eae
-
SHA1
2b579e2c43a85410b4b1191e649520ce7b164240
-
SHA256
febfb5b43a0d8319507ae58284664756f36741e6ff82052a083c39d0f1740d01
-
SHA512
0387a7d82cbadff1189f7215533161b601c59d3290c323264690a394897d9ff55c507d66caa9924e3f1b3dac06e6ced5589719c6592a481baf76e62174a02d9d
-
SSDEEP
3072:muLr2tEZ8XgQzxZlPI3r9XR5769JZ78hJa1:mYeNzBq4ara1
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5100 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 4348 msserv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserv = "C:\\Windows\\msserv.exe" daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\7-Zip\ msserv.exe File opened for modification C:\Program Files\AddSwitch.htm msserv.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ msserv.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ msserv.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ msserv.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ msserv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\msserv.exe daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe File opened for modification C:\Windows\msserv.exe daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe File created C:\Windows\msserv.config msserv.exe File opened for modification C:\Windows\msserv.config msserv.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w32tm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4348 4920 daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe 83 PID 4920 wrote to memory of 4348 4920 daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe 83 PID 4920 wrote to memory of 4348 4920 daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe 83 PID 4348 wrote to memory of 5100 4348 msserv.exe 84 PID 4348 wrote to memory of 5100 4348 msserv.exe 84 PID 4348 wrote to memory of 5100 4348 msserv.exe 84 PID 4348 wrote to memory of 2912 4348 msserv.exe 85 PID 4348 wrote to memory of 2912 4348 msserv.exe 85 PID 4348 wrote to memory of 2912 4348 msserv.exe 85 PID 4348 wrote to memory of 4900 4348 msserv.exe 86 PID 4348 wrote to memory of 4900 4348 msserv.exe 86 PID 4348 wrote to memory of 4900 4348 msserv.exe 86 PID 2912 wrote to memory of 2948 2912 w32tm.exe 90 PID 2912 wrote to memory of 2948 2912 w32tm.exe 90 PID 4900 wrote to memory of 4444 4900 w32tm.exe 91 PID 4900 wrote to memory of 4444 4900 w32tm.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\daa6da3107d7cd06c10c71b368023eae_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\msserv.exe"C:\Windows\msserv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Windows\msserv.exe" enable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov4⤵PID:2948
-
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /update3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\w32tm.exew32tm /config /update4⤵PID:4444
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD520a6c884ebfc28186ee9410b9d60852c
SHA187195388b985bed707cc153d1ac904a045f7998f
SHA25627239ccf51b26f4443a66a17019229de3003b53055f9639e6096e56d48b36579
SHA512e2b972ee24b0e0a422af394b115feda8afe03f7c0451ba5306220040f727931070294c5f0b7152061fc7adc408bf3e70e279f857108f06ff645b7ef67137090c
-
Filesize
3KB
MD5e6360a6334985ab7b36fd0ae039635ea
SHA15c4b90fd4f39a65e69f3d02aeb6fa336f4a0c01a
SHA2561350fe714ddb2fecc5a13816a1e5944dd1b81a666e5d701f603ce1b73d2578cb
SHA5128a79dea789116cd6175db3f3ea94c5b527e1564dc5a89e206211dac2b7825f158df5992780ad45ac73e68501a0813a2055397222359562191956618fa0e98852
-
Filesize
47KB
MD5195bea0a796b19d75a14f86fd6f40d2a
SHA1f26b782426cb09b4f16bda8bab1224faae227c3f
SHA25679609a9f89580c44ed95ec2e17dbb592cfc2cdda3ead5d2c81fc49977d055898
SHA512663bbab1db4be2986a8d8e1da692c87c41ab63fe6c0301757f5568534e9c687fbf6ea768ee609ca4b85ac1b089da5829a0c2d8cd3e8d8cc30c4e19b914090b0b
-
Filesize
115KB
MD5daa6da3107d7cd06c10c71b368023eae
SHA12b579e2c43a85410b4b1191e649520ce7b164240
SHA256febfb5b43a0d8319507ae58284664756f36741e6ff82052a083c39d0f1740d01
SHA5120387a7d82cbadff1189f7215533161b601c59d3290c323264690a394897d9ff55c507d66caa9924e3f1b3dac06e6ced5589719c6592a481baf76e62174a02d9d