Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe
-
Size
387KB
-
MD5
df3fb2c15e36af2b6b67f6ecfeaaec46
-
SHA1
24d2161fb83be33c4748f2793cb5dc483ebaf458
-
SHA256
97c1ca80e98539d2e324be429b9e676c75a16239c659a0bddb81ac237e470a23
-
SHA512
a387287dcd4ee8b027a3f8e85c23e54410fa98cbeae912fe1d0b4513413ca0245e78e21adea62d928db2fe2d911ab0450c26fdc6586499256315d160db9d7869
-
SSDEEP
6144:QjuaGqzs3cqshdPANuGX/LK7XI7by/3fHHiItUsSbDKb3OstxiBr6hRjFBWi:QKjL3iQuWDK74/cHz4QDiB+hRGi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2468 cI01805IaOgO01805.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 cI01805IaOgO01805.exe -
resource yara_rule behavioral2/memory/408-1-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/408-14-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2468-16-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2468-24-0x0000000000400000-0x00000000004C0000-memory.dmp upx behavioral2/memory/2468-31-0x0000000000400000-0x00000000004C0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cI01805IaOgO01805 = "C:\\ProgramData\\cI01805IaOgO01805\\cI01805IaOgO01805.exe" cI01805IaOgO01805.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cI01805IaOgO01805.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe Token: SeDebugPrivilege 2468 cI01805IaOgO01805.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2468 cI01805IaOgO01805.exe 2468 cI01805IaOgO01805.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 408 wrote to memory of 2468 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe 93 PID 408 wrote to memory of 2468 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe 93 PID 408 wrote to memory of 2468 408 df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408 -
C:\ProgramData\cI01805IaOgO01805\cI01805IaOgO01805.exe"C:\ProgramData\cI01805IaOgO01805\cI01805IaOgO01805.exe" "C:\Users\Admin\AppData\Local\Temp\df3fb2c15e36af2b6b67f6ecfeaaec46_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5f19db5f0b157d9ff4e66ec4ddc7a7467
SHA1066728b6a7b9ccd83923e197fb2e08a8b59c9b3f
SHA25697583b3803b1292680d68e38fd0bef43cf74c03b53b611ccc151738b8c6c5b31
SHA512b6cf6edd655d023ca12bbad01b529dfb3798d7315028b873d6a604f32af97d0438b587abe590579c87b9f089ac3c21b95b045f06c589ac954b8325ac430c02ac