Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 05:53
Behavioral task
behavioral1
Sample
eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
eab4ea5c7ebd0271f2f8b0e27ec91961
-
SHA1
3ecad10c9de1c5f5ef8eb10c95af01f69f61edae
-
SHA256
b4ed6d871e7ba08ec4c99e0923268f531c14da34b4c178e0740f2c1e8a204fcb
-
SHA512
0da3644baf6a5b1fe50e48e6de694216f80a125be02aaa18dba1f454bb85e88ce04f8dd23321e609113f5c45671823752930d02e26e37c61e4eb0b3e1ef3d9a9
-
SSDEEP
98304:2mGJ64NQWdEB+x28el/WRv0BJC6eypFOKdNVPstYyShZvp+76J4:2mYnU+08ecWCHOFOKdDUtlmyZ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe -
Executes dropped EXE 7 IoCs
pid Process 5076 SD1.4.0.672_Setup.exe 3432 QQ.exe 2240 Setup.exe 5024 Esseeg.exe 4640 Setup_x64.exe 1376 Setup.exe 1344 Esseeg.exe -
resource yara_rule behavioral2/memory/3140-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/files/0x00070000000234eb-22.dat upx behavioral2/memory/3140-25-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/3432-23-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/1344-84-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/3432-83-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/5024-89-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/1344-92-0x0000000000400000-0x0000000000492000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Setup.exe File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\T: Setup.exe File opened (read-only) \??\Z: Setup.exe File opened (read-only) \??\E: Setup.exe File opened (read-only) \??\J: Setup.exe File opened (read-only) \??\L: Setup.exe File opened (read-only) \??\P: Setup.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\F: Setup.exe File opened (read-only) \??\I: Setup.exe File opened (read-only) \??\N: Setup.exe File opened (read-only) \??\X: Setup.exe File opened (read-only) \??\G: Setup.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\M: Setup.exe File opened (read-only) \??\V: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\H: Setup.exe File opened (read-only) \??\Q: Setup.exe File opened (read-only) \??\S: Setup.exe -
Creates a Windows Service
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache Esseeg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData Esseeg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe QQ.exe File opened for modification C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe QQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esseeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Esseeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SD1.4.0.672_Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Esseeg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Esseeg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Esseeg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Esseeg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Esseeg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Esseeg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Esseeg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Esseeg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Esseeg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3432 QQ.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3432 QQ.exe 5024 Esseeg.exe 1376 Setup.exe 1376 Setup.exe 1344 Esseeg.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3140 wrote to memory of 5076 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 82 PID 3140 wrote to memory of 5076 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 82 PID 3140 wrote to memory of 5076 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 82 PID 3140 wrote to memory of 3432 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 83 PID 3140 wrote to memory of 3432 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 83 PID 3140 wrote to memory of 3432 3140 eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe 83 PID 5076 wrote to memory of 2240 5076 SD1.4.0.672_Setup.exe 84 PID 5076 wrote to memory of 2240 5076 SD1.4.0.672_Setup.exe 84 PID 5076 wrote to memory of 2240 5076 SD1.4.0.672_Setup.exe 84 PID 2240 wrote to memory of 4640 2240 Setup.exe 86 PID 2240 wrote to memory of 4640 2240 Setup.exe 86 PID 2240 wrote to memory of 4640 2240 Setup.exe 86 PID 4640 wrote to memory of 1376 4640 Setup_x64.exe 87 PID 4640 wrote to memory of 1376 4640 Setup_x64.exe 87 PID 5024 wrote to memory of 1344 5024 Esseeg.exe 88 PID 5024 wrote to memory of 1344 5024 Esseeg.exe 88 PID 5024 wrote to memory of 1344 5024 Esseeg.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab4ea5c7ebd0271f2f8b0e27ec91961_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe"C:\Users\Admin\AppData\Local\Temp\Temp\SD1.4.0.672_Setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup.exeC:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup_x64.exe"C:\Users\Admin\AppData\Local\Temp\7z7BFE73D4\Setup_x64.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\7z782DB220\Setup.exeC:\Users\Admin\AppData\Local\Temp\7z782DB220\Setup.exe5⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe"C:\Users\Admin\AppData\Local\Temp\Temp\QQ.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe"C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe"C:\Program Files (x86)\Microsoft Auqauy\Esseeg.exe" Win72⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
906KB
MD54cd89312146f921fd08d5f285852023b
SHA156eb14ebe14f367a69084a79943e4f74eb8d5b2d
SHA256d632e9d4875b1bdeeddcb1b87cc459b50089db100306ab9303b763d1ec4a9593
SHA5121a6af621aa617d690e73f986c3801ce6f70ad3509c8763f5c80c502d57c46bf37c7990c997846558ce590ce41ba54e7f5a95faf51ed4d32200e4ab90fe4ad25b
-
Filesize
114KB
MD5b453cd30e5a8883f2f88856fef990abd
SHA16a0fc0a9d41837c04fe9b3f1f4094677d86f6c0a
SHA256e0682dae2bbc0a3a77238cab0a17a4b1831238a4ed5ea9504617aa8b0cc0b2cb
SHA51212938a16537622a8cf1ebb1e8c45e099e408fe4e6e3fe369137d794237e4930f6c65a551f25175f5b6502a8868316686212dc3303be950518c53e0bd260113ed
-
Filesize
2.1MB
MD5ccf8d4eec6390047289b31806535829b
SHA1b4f90305821e9adc4b72c0b25591ec8b42437565
SHA256de18d093fdd684c4a0fea28d74c3902f0f70297ce4b23a671fc8a3f5d2319703
SHA5123776e59f351e6a7c11d6bce450c5d40770cefe977a09af30367be9aebae30211058644026b509dd9c075bda1fc98469d07d5b949981df7e86e615296667a0ac8
-
Filesize
208KB
MD56677db1cde1b22640181e907c75c12e1
SHA15abd23d739e99e411dec8f7f6a4b931491170c53
SHA256c98c15e681d7f7e0e06173560476a5a8546699dfc8f85c505a794423076247af
SHA51240073ce2715ff28eeaa521365804f0bb8c864f930f026b8528f619ca58d9febdf5f7e1088ce9139343294afbc650523501f81064c32fd40f21a26f4ed7dbdefe
-
Filesize
3.3MB
MD5d948dd85b8edb5391a5e04e274533558
SHA1775aa63441a1ad26699b33bb8646006376fbdf35
SHA256b4e7960ef248b8a35f8cd33962dae252e33d177822c9e8dbf40fdfbfe9e2e850
SHA51234720a095d22733c57c47f5b37ff7171c9cf1c1654d9c759640baa84cca3f77cae032706d323363c25421c959decb49cd441dcada30195bc0cacce1281f06d61