Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe
-
Size
144KB
-
MD5
dea8f56582d91ae4605f7162a006aeae
-
SHA1
96a38ffacfb0ac8a369ce03cffb6c1f2b4893fa6
-
SHA256
5f60950528295a7885e1241258ea283d44ea9f3960e8b62300e2231f340afd04
-
SHA512
2ba4e9e84e75828cfa5bbc5d1c0d16b2f308fb5ff4557dc8cee5550701a3f77be6ff6580249872205374c7d8156cb37fba8b7b4df892992508666009bf603b6a
-
SSDEEP
1536:/fQDBTn64E8RtIacmqWQuGMZ0jkLcDBTn64E8RtIacGDBTn64E8RtIacRjDKyEXd:3QDQ/0cd2jLwrecqOMpV+WR36rHuG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\drivers\\svchost.exe" svchost.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\drivers\Setup.exe dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drivers\svchost.exe dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1868 svchost.exe 1908 Setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mmil.htm svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 2 IoCs
pid Process 3488 taskkill.exe 1744 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3488 taskkill.exe Token: SeDebugPrivilege 1744 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 1868 svchost.exe 1868 svchost.exe 1868 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3488 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 83 PID 4416 wrote to memory of 3488 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 83 PID 4416 wrote to memory of 3488 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 83 PID 4416 wrote to memory of 1868 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 84 PID 4416 wrote to memory of 1868 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 84 PID 4416 wrote to memory of 1868 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 84 PID 4416 wrote to memory of 1908 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 88 PID 4416 wrote to memory of 1908 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 88 PID 4416 wrote to memory of 1908 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 88 PID 4416 wrote to memory of 1744 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 89 PID 4416 wrote to memory of 1744 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 89 PID 4416 wrote to memory of 1744 4416 dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dea8f56582d91ae4605f7162a006aeae_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im teatimer.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\SysWOW64\drivers\svchost.exeC:\Windows\system32\drivers\svchost.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Windows\SysWOW64\drivers\Setup.exeC:\Windows\system32\drivers\Setup.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im teatimer.exe /f2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD554370209b8485a8652aa0d28f98ebd30
SHA16c03a3003869bb062e55a428001cb36769869cc0
SHA2564a6f321d2f5ba8803eda2f12d7abf99681d023fe1c4e5677f425136836327526
SHA512085048823e7e250e284b1b9758bbc50d1762c9e33be89501845e48d6c322f63644f4b89ba91fdff85144556af002aee4729eea4ed41cb57461bf449bea151813
-
Filesize
56KB
MD55c749b6329c23b51ec2010d4769f124e
SHA163c4b66297efc2807bdb5d37131a552455f0c90a
SHA256cacc67a8acd397c9135876fef7d773ab4c465aa1dee07068eb20ceec358e7e96
SHA512abf0d7a64153f5c3e436524c8196229d074832de76862509d023d7bf2faa84a5b9fa6b2ef7f75d1fdddf4dd0260135730cd3c32dfce200edfd47cffc7a135e1a