Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 06:39
Static task
static1
Behavioral task
behavioral1
Sample
e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
-
Size
11.4MB
-
MD5
e1e8346ff1d31ae330cb44c91541cd5a
-
SHA1
6c798b54cc3d1291f0b8295e9283d4a0475876ad
-
SHA256
0f11eb03b72c4111f98ddbde874a09707e663ed3b420b0faa23e66042f37fceb
-
SHA512
ea915a3a2ae8bae8b306208dc26bd4fea480730b0f6070638f8457a6badb954192ea7ec7ed23c21d40359e423bdf3acc15c28dc531b62ca1ad5fc81ab705111f
-
SSDEEP
196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMs:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTN
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse 93A5.tmp -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ 93A5.tmp Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ 93A5.tmp Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 93A5.tmp -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 93A5.tmp -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 93A5.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 93A5.tmp -
Executes dropped EXE 6 IoCs
pid Process 1252 92AB.tmp 1172 93A5.tmp 1280 93D5.tmp 1828 93A5.tmp 4312 93A5.tmp 4816 93D5.tmp -
Loads dropped DLL 1 IoCs
pid Process 1172 93A5.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 93A5.tmp -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 93A5.tmp -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 93A5.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\fonts\pns.ttf 93A5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93D5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93D5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92AB.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93A5.tmp -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\chst 93D5.tmp Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\chst 93D5.tmp Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\chst 93D5.tmp -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4312 93A5.tmp 4312 93A5.tmp 4312 93A5.tmp 4312 93A5.tmp -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1172 93A5.tmp Token: SeRestorePrivilege 1172 93A5.tmp Token: SeDebugPrivilege 1172 93A5.tmp Token: SeTakeOwnershipPrivilege 4312 93A5.tmp Token: SeRestorePrivilege 4312 93A5.tmp Token: SeDebugPrivilege 4312 93A5.tmp -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1172 93A5.tmp 1172 93A5.tmp 1172 93A5.tmp -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1172 93A5.tmp 1172 93A5.tmp 1172 93A5.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1172 93A5.tmp 1172 93A5.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1252 1488 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 86 PID 1488 wrote to memory of 1252 1488 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 86 PID 1488 wrote to memory of 1252 1488 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 86 PID 1252 wrote to memory of 1172 1252 92AB.tmp 87 PID 1252 wrote to memory of 1172 1252 92AB.tmp 87 PID 1252 wrote to memory of 1172 1252 92AB.tmp 87 PID 1252 wrote to memory of 1280 1252 92AB.tmp 88 PID 1252 wrote to memory of 1280 1252 92AB.tmp 88 PID 1252 wrote to memory of 1280 1252 92AB.tmp 88 PID 1172 wrote to memory of 1828 1172 93A5.tmp 95 PID 1172 wrote to memory of 1828 1172 93A5.tmp 95 PID 1172 wrote to memory of 1828 1172 93A5.tmp 95 PID 1172 wrote to memory of 4312 1172 93A5.tmp 96 PID 1172 wrote to memory of 4312 1172 93A5.tmp 96 PID 1172 wrote to memory of 4312 1172 93A5.tmp 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\92AB.tmp"C:\Users\Admin\AppData\Local\Temp\92AB.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /test4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\93A5.tmp"C:\Users\Admin\AppData\Local\Temp\93A5.tmp" /restart /util4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\93D5.tmp"C:\Users\Admin\AppData\Local\Temp\93D5.tmp" "install"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280
-
-
-
C:\Users\Admin\AppData\Local\Temp\93D5.tmp"C:\Users\Admin\AppData\Local\Temp\93D5.tmp" run1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5bb094f254599a26547a3484e35a29482
SHA18b618de226450871b02e7788a5673512157db5ce
SHA256f845f1859bea42f1d9c6205344eb557296042296745cb8f7e0adbe9d652928f7
SHA5124b1d9c01847293aa99d0fa585788efdd4fb053461a4ce8ea1a20ace661a9bccba6a2265eeb7f06cc552941a530981b883bb6079131c8787a7427fc966fec06e1
-
Filesize
445B
MD5d5180d4557b08cd31ed9758722bea039
SHA18d699db057625d887fb465edaea8af08f9c62255
SHA256a8a5db6a3b541cd704d8c4aceeeaa16b147d0cbcfd8c97e59d434d1c0522b1f7
SHA51211439f5d492729d662576dfbfeaa7c7e5a7d796271442b31e928b27e305f81b761d0f1c0cb85bb2e0f91cb8dbce1456a687559584b5eb1db0403cb3382f02cef
-
Filesize
11.0MB
MD560647b7c7b5645fd43bfaee784becd67
SHA1efb89b51296c016fd482f20bfe68895644caab18
SHA25645909a961618e850f0a737995c2d71760453abc9040e72965fe1816dc15cc390
SHA512a384cf75dd29e7b2c89d00632447cd4726f875a6a8b91ee8bc31bbccb77bffed120fc96e4898491bacbb62f1141ab93c41d7fecfce3771c6a28d6ac3a43a03a1
-
Filesize
10.3MB
MD59cff02c5ee349922b08481ef0e786401
SHA1a5c90378fe2581f8a69a7d6f11b8283d452562ab
SHA256df8aa536fac28254bec6f2083337d0a0f1e10e132f35c119eedb925b02792474
SHA512979484f010481d69cc8ad89ec183baeae4fa63414e0896a36c043ebad374780debcbe591b9342c764c089b400237d52a3d94658e6f72c9fee99476aee0daaf87
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312
-
Filesize
324KB
MD5bf9f6045d47dd87ae6d41fc7b5485506
SHA1462184bdd3c143f70ff7e9553966cb3d63b7cd12
SHA256f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440
SHA512bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605
-
Filesize
49KB
MD5abee4387ab69da821ed9397cc651597d
SHA15d14f4afdbe15448bf884b528ffffab874f920a7
SHA256ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904
-
Filesize
5.0MB
MD59d23e2946b37a886dd9b5ce146cdd280
SHA1ac82352e5ef3988dd53403a9552bf9c4bc5162d3
SHA2569fabfffee8ef815f6e0f34c8909597ddf360ebff061151f18365202b774ceb20
SHA512872951f7ed72422e05e5957ab7bd274fdae2fba465b3177bba4b0dd1f1c7b047d7684977f7ad51fa79dd98b30b30dc6e52eac424798c31ae0e0fe31961b682a5
-
Filesize
1KB
MD588d3df8977c38d2fd174fa741411fe08
SHA1ec9f0337a24f7c9ef56771bad1ac5e08a2aa603d
SHA256fcf3870d0953e38f9b369e68379110332626d64502c3e2241e60e77c2045f848
SHA5123b965973149305f5a1e9f6f41d86adc93efdb6699ee048fa468b6ce766d58e2406c904d2b8d43a642aa4a344280cde29da9d3817c3cddb914c73505b8bd721bc
-
Filesize
127KB
MD5df8c626474a73ab7a8b511655597c7c4
SHA15de28f387ea88553d195d1978286d43c33231969
SHA256723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5
SHA512c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59