Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 06:46
Behavioral task
behavioral1
Sample
eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
eac9954d2428c333ac4b0483344b993b
-
SHA1
7ce14ae6abbf63276d7bd5bf4679d30dd23b1789
-
SHA256
7b62884a3cd7670a6f5ebba712c417936bb0f9a782003de53c85516e85f95202
-
SHA512
cf323b79fa5becc2e71af3ff8875383ba8cce18b8d9578537e43cc2b44bcfb1fb4f6c1d20acb72a772a2b0916dd8793c878fc04863e311e673f305508c6f168b
-
SSDEEP
24576:vn2Cdf/6N6Kl+OG1ogqKISkqZV9vyAFUHLSMyzDJ1kAbArlbBa1FWETk:+OfSAmvGoge4P9vyAFUczokaGg
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4624 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation pwd.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation GoogleUpdate.exe -
Executes dropped EXE 4 IoCs
pid Process 4360 GoogleUpdate.exe 676 pwd.exe 4300 MPR.exe 4208 realip.exe -
resource yara_rule behavioral2/memory/1384-0-0x0000000000400000-0x000000000080C000-memory.dmp upx behavioral2/files/0x00070000000234e5-44.dat upx behavioral2/files/0x00070000000234e3-47.dat upx behavioral2/memory/4360-52-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/676-56-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1384-61-0x0000000000400000-0x000000000080C000-memory.dmp upx behavioral2/memory/4360-76-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/676-77-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate.exe = "C:\\Windows\\System32\\Google\\GoogleUpdate.exe" reg.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Google\realip.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Google\GoogleUpdate.exe cmd.exe File created C:\Windows\SysWOW64\Google\localip.txt cmd.exe File opened for modification C:\Windows\SysWOW64\Google attrib.exe File opened for modification C:\Windows\SysWOW64\Google\blat.dll cmd.exe File created C:\Windows\SysWOW64\Google\realip.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Google\realip.exe realip.exe File created C:\Windows\SysWOW64\Google\block_reader.sys cmd.exe File created C:\Windows\SysWOW64\Google\MPR.exe cmd.exe File created C:\Windows\SysWOW64\Google\pwd.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Google\block_reader.sys cmd.exe File opened for modification C:\Windows\SysWOW64\Google\MPR.exe cmd.exe File created C:\Windows\SysWOW64\Google\blat.dll cmd.exe File opened for modification C:\Windows\SysWOW64\Google\blat.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Google\blat.lib cmd.exe File opened for modification C:\Windows\SysWOW64\Google\HookLib.dll cmd.exe File created C:\Windows\SysWOW64\Google\GoogleUpdate.exe cmd.exe File opened for modification C:\Windows\SysWOW64\Google\pwd.exe cmd.exe File created C:\Windows\SysWOW64\Google\realip.txt cmd.exe File created C:\Windows\SysWOW64\Google\blat.exe cmd.exe File created C:\Windows\SysWOW64\Google\blat.lib cmd.exe File created C:\Windows\SysWOW64\Google\HookLib.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language realip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MPR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1980 ipconfig.exe -
Modifies registry class 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "MPR.DocHostUIHandler" MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe,0" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe \"%1\"" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\ = "Implements DocHostUIHandler" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf MPR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf" MPR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf MPR.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0" MPR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell MPR.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4896 reg.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4300 MPR.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4300 MPR.exe 4300 MPR.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1384 wrote to memory of 836 1384 eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe 81 PID 1384 wrote to memory of 836 1384 eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe 81 PID 1384 wrote to memory of 836 1384 eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe 81 PID 836 wrote to memory of 4624 836 cmd.exe 84 PID 836 wrote to memory of 4624 836 cmd.exe 84 PID 836 wrote to memory of 4624 836 cmd.exe 84 PID 836 wrote to memory of 4896 836 cmd.exe 85 PID 836 wrote to memory of 4896 836 cmd.exe 85 PID 836 wrote to memory of 4896 836 cmd.exe 85 PID 836 wrote to memory of 4360 836 cmd.exe 86 PID 836 wrote to memory of 4360 836 cmd.exe 86 PID 836 wrote to memory of 4360 836 cmd.exe 86 PID 836 wrote to memory of 676 836 cmd.exe 87 PID 836 wrote to memory of 676 836 cmd.exe 87 PID 836 wrote to memory of 676 836 cmd.exe 87 PID 676 wrote to memory of 1276 676 pwd.exe 88 PID 676 wrote to memory of 1276 676 pwd.exe 88 PID 676 wrote to memory of 1276 676 pwd.exe 88 PID 4360 wrote to memory of 3664 4360 GoogleUpdate.exe 89 PID 4360 wrote to memory of 3664 4360 GoogleUpdate.exe 89 PID 4360 wrote to memory of 3664 4360 GoogleUpdate.exe 89 PID 3664 wrote to memory of 1980 3664 cmd.exe 92 PID 3664 wrote to memory of 1980 3664 cmd.exe 92 PID 3664 wrote to memory of 1980 3664 cmd.exe 92 PID 1276 wrote to memory of 4300 1276 cmd.exe 93 PID 1276 wrote to memory of 4300 1276 cmd.exe 93 PID 1276 wrote to memory of 4300 1276 cmd.exe 93 PID 3664 wrote to memory of 4208 3664 cmd.exe 94 PID 3664 wrote to memory of 4208 3664 cmd.exe 94 PID 3664 wrote to memory of 4208 3664 cmd.exe 94 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4624 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A335.tmp\1.bat" "2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Windows\System32\Google"3⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4624
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "GoogleUpdate.exe" /t REG_SZ /d "C:\Windows\System32\Google\GoogleUpdate.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4896
-
-
C:\Windows\SysWOW64\Google\GoogleUpdate.exeGoogleUpdate.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5C5.tmp\GoogleUpdate.bat" "4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1980
-
-
C:\Windows\SysWOW64\Google\realip.exerealip.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4208
-
-
-
-
C:\Windows\SysWOW64\Google\pwd.exepwd.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A604.tmp\pwd.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Google\MPR.exempr.exe /export5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5061a650773713d32f3f00d9d6e42a443
SHA1be58547350f42f0846e642226f3416aacd1bf9fa
SHA256d33bd0cadad2d76c7c3711e7063a3e498325bd731538b8173228e1c46027e790
SHA5124ebaf0f241ad2fb974e46317fda9ec6f9bee1118b97222119017c30adaec9a9953a85283eb68147f097093c531d5c11b2c6710060c4be7014f5289f48933ed45
-
Filesize
383KB
MD54c68ee627f3c1678b582c6358f9321e7
SHA1b8df8c9f4ff374b7e98f6690770606b65776604e
SHA2561fe5f183e0c523be58ccecd3211596f82b481cc0337a504f55855eb0e1d33123
SHA512d7c0aa802880ed6580b592bb99d67168188f8eb7833372c7839c700fc7fd92170744ece6e32c21afde9c5bd034f4b7103f4d73f27a3ffacc36e2adbdee7a734e
-
Filesize
42KB
MD527f3b6699c6243d8089056135cef4147
SHA1767f70d5b79bf8d308318aa0da9ef0e0adfcd5d2
SHA256e5ad5d5b8a8ef2e686af0fd68dc70bab60508fe42f81dfa5d8e4cfade7ac2437
SHA5120e44ae83e9a3165725a3a65d1f248141e679cc9b9911e9e60e5977154f58c50ceb3bd1eae6b0d2c4c13a1570500b32f92ee6d50934535ec54be2d1806cbee139
-
Filesize
3.3MB
MD5bc1d63148cfc6d96736c2a3b5f675e67
SHA1f36e48980caace5e7cc7b996110ea8912ca18528
SHA256444ca87b043e3723ccf99d96aad2310dc2faf690939c4a123a05b97d4935a7a3
SHA512631e0948f27ab80b3cf543a4096bbd600fb457d9a5c15825beecffd46ba6b6bf74af42e42c89029f9757a76a387d084ccbca93f6fe40efe56864c69c9df25217
-
Filesize
126KB
MD56a3e5393a84513e457ed18e0913a2176
SHA11ecb0f51a02b6ccce8d2a58e9f28a8ae60aea12d
SHA25614944a809d98abe7b22bf86a0a4204221991e26f00dfeafbe2b7ccc7a1dd5c5f
SHA51210943f63b67bf0f826a6a0efbe1a99b0445170390df4db9b45ca25f352a48f8d1f066e9d6be3d567d26bcde746ce41631d9ade48959403963a279e7b23f41a86
-
Filesize
119KB
MD53f23b78126a01245cb3dac4602d4e3f7
SHA115af783721bbee0480d4702f9aa35f03da3c52b8
SHA2560d2f026dee2c8b288a469afd5274d35029e54674b0f355b91cb4461dc6d491b1
SHA51278d204abb47c1d7fc3564cf54e41414764c81bb272ee2cb686f2d2bafadeb8ce1470c822f4d0904ced460a240f300ca545b1f8eaa2f6f21f124a0c20aa262c16
-
Filesize
2KB
MD52e2bf0cb321e717dd2caa9228aef1e59
SHA1b42b69f46949534c818ee9c369bae0e99b4dc36a
SHA256042d1e40f789cb1fa43a49cb1ff20516be3370cadf1dc272adafddf4489a961e
SHA51233b9a80706c1ec26e0fa5ca6bb2e921c57d25ba8413f2feb0d74beebc9fa50de114a0cf704948fc1cebd2c4aa6b3299cf835b719c9215eee78c8a8d83acda920
-
Filesize
1KB
MD5f9aca461359daf992d72177f7559fa44
SHA1242968e0c96fd9b15e8e2d40b406da80ee5d1c9e
SHA256f6018aae2edbf28bbbc7378ea349b6cb54b553d28336cb83f3a1810d27294530
SHA5122cf504f12e1b6cc7883e3521fa989ab06caed8810bf63bde4fcc929821e9d2776384e6370e3bbe13577f152738188eb15e9e2541a2b0cc4143b46117c18bb2f5
-
Filesize
21KB
MD5bbf7e15ba24d5eb1016a082bfe68cb84
SHA155d22402f00988c07fc765ab2e9e4c9b58bc5f21
SHA2563df7e952ac598b943609abbddcebc4027608ff6fd6034edb5e89a71a4d74f2ff
SHA512b6dc328ece1d63429fcee414b79c199bf6b2448009a35021183a4604fc3fd9798f7419b297cebc307fd36b8a6aabfb2e47d1ca18b58a0403e6946de62c783368
-
Filesize
40KB
MD5effa4a5a70423867665d2a46348ecb26
SHA18596bef191ed40ade5980abf0158dfd3d193c352
SHA25603b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d
SHA512d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff
-
Filesize
417B
MD5083aeba786185b0354a94378e5c15688
SHA10fd9e68257eaa1490d26a52e267c898376e71455
SHA256fb47b3107b69f2384fb7940e8640f63fc77676c14d449fff68e1d260d24fd6fb
SHA5129ab625eacf6e27029738ed9476ad6abb8f370784988dd553504262e09f9c625a7a201506ba7cd0d55d6c5bd67aa0e86639fd1579b7fae2f50379ddc9dfe709e1
-
Filesize
244B
MD50f9bfdc68b6f7912ea080953bade0a0d
SHA1be395363283e3618961292f1f94be2fff39fb69c
SHA256c2adf9854ebd4ecd0eed9168828f85b005e5fce29cdd8652661d8e411d619256
SHA512ecbb8eef497bf879f5411cae2a0c8b98979d705dfac761151837d2a6cd51dee2e5ab1c17f7f8b50a8ceda5d5ae301597e506bca0b9a4c833befa648702705e22