Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
-
Size
192KB
-
MD5
eab2950521e2e17f90c87bcb847cd3bd
-
SHA1
a2568f39a3c05d4f720ac39cc71dd4cffec13f34
-
SHA256
7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a
-
SHA512
94d704cf15e080f7c8851ee2a7dc6d114af67bdd15556333e71b838bf2b34ebabd3138f4855450cceae2a72b6bdd7e9216628011d63c1497a8d2cf8352117028
-
SSDEEP
6144:LnXWx4wSizY9r4BlDqFVhbdfq351C2lF/cQ:LnXWKwSCkcBlOF3b1t2L
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\H: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\L: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\M: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\V: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\W: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\Y: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\E: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\J: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\N: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\R: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\K: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\P: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\Q: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\X: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\T: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\U: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\G: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\I: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\O: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\S: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\vds.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3168 eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
567KB
MD59bb6c5c8dc427b491a9de968f5c2a851
SHA1a41b0aca56dff8c9a5c65d1746e88167ebfec11b
SHA2561943257d484e69b65e789b65409436add7a4a68ccb098a50eef25c9104d9ccae
SHA512bde893fc48cb815f7868c61ac153516c9fb6dddb5f7dc8570af7081bbcabd382f46e982cc3e92b1649a21f3e2ffe38ce2c5cb31837e384825eb8e49f586f197f
-
Filesize
202KB
MD5fd4ef7edc197284fdcca0d3e804e2420
SHA17045b79048e46ceb414f6079cd4c0f114c213170
SHA2566b6d1126f8a8eb45b6820410cdc8102d8917139fa98a8ec5b96ba7967e591541
SHA512554b51c0006957075efcad20c6798551d277bb45b04d0f36f346e4d26f57cc9f16369e1a28ae9c91e12bbca0041776e3a373cecb39b11b2c67bb8c781c591864