Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 15:56
Behavioral task
behavioral1
Sample
ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe
-
Size
259KB
-
MD5
ebae0f7205be00ee7d576833574a4553
-
SHA1
09104faf56af1ce877c0a2ef2ef1445bdd3538de
-
SHA256
d45ecd813753f71f8cc83550644bbcf13539c672b731a74be8aeb1e7c9452e56
-
SHA512
a5eeda74e1d83a80bd730edb215c95a5f5d68391295dc75477106d93e832101be5555537a7f0554b3f8bad74df99a42cce57271976fa7f7a886e69f3978dcc43
-
SSDEEP
6144:EfmHJPPBGCidJZvqJ3M0Gr1f4Nc9vRhGIL:XPPBvir4Gr1f4e
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\msn.exe = "C:\\Users\\Admin\\AppData\\Roaming\\msn.exe:*:Enabled:Windows Messanger" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\msn.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msn.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3184 msn.exe 1288 notepad.exe -
resource yara_rule behavioral2/memory/4960-0-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/4960-22-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4084 reg.exe 1052 reg.exe 3012 reg.exe 2960 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 3184 msn.exe Token: SeCreateTokenPrivilege 3184 msn.exe Token: SeAssignPrimaryTokenPrivilege 3184 msn.exe Token: SeLockMemoryPrivilege 3184 msn.exe Token: SeIncreaseQuotaPrivilege 3184 msn.exe Token: SeMachineAccountPrivilege 3184 msn.exe Token: SeTcbPrivilege 3184 msn.exe Token: SeSecurityPrivilege 3184 msn.exe Token: SeTakeOwnershipPrivilege 3184 msn.exe Token: SeLoadDriverPrivilege 3184 msn.exe Token: SeSystemProfilePrivilege 3184 msn.exe Token: SeSystemtimePrivilege 3184 msn.exe Token: SeProfSingleProcessPrivilege 3184 msn.exe Token: SeIncBasePriorityPrivilege 3184 msn.exe Token: SeCreatePagefilePrivilege 3184 msn.exe Token: SeCreatePermanentPrivilege 3184 msn.exe Token: SeBackupPrivilege 3184 msn.exe Token: SeRestorePrivilege 3184 msn.exe Token: SeShutdownPrivilege 3184 msn.exe Token: SeDebugPrivilege 3184 msn.exe Token: SeAuditPrivilege 3184 msn.exe Token: SeSystemEnvironmentPrivilege 3184 msn.exe Token: SeChangeNotifyPrivilege 3184 msn.exe Token: SeRemoteShutdownPrivilege 3184 msn.exe Token: SeUndockPrivilege 3184 msn.exe Token: SeSyncAgentPrivilege 3184 msn.exe Token: SeEnableDelegationPrivilege 3184 msn.exe Token: SeManageVolumePrivilege 3184 msn.exe Token: SeImpersonatePrivilege 3184 msn.exe Token: SeCreateGlobalPrivilege 3184 msn.exe Token: 31 3184 msn.exe Token: 32 3184 msn.exe Token: 33 3184 msn.exe Token: 34 3184 msn.exe Token: 35 3184 msn.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3184 msn.exe 3184 msn.exe 3184 msn.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4960 wrote to memory of 3184 4960 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 82 PID 4960 wrote to memory of 3184 4960 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 82 PID 4960 wrote to memory of 3184 4960 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 82 PID 4960 wrote to memory of 1288 4960 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 83 PID 4960 wrote to memory of 1288 4960 ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe 83 PID 3184 wrote to memory of 4488 3184 msn.exe 84 PID 3184 wrote to memory of 4488 3184 msn.exe 84 PID 3184 wrote to memory of 4488 3184 msn.exe 84 PID 3184 wrote to memory of 2140 3184 msn.exe 85 PID 3184 wrote to memory of 2140 3184 msn.exe 85 PID 3184 wrote to memory of 2140 3184 msn.exe 85 PID 3184 wrote to memory of 2896 3184 msn.exe 86 PID 3184 wrote to memory of 2896 3184 msn.exe 86 PID 3184 wrote to memory of 2896 3184 msn.exe 86 PID 3184 wrote to memory of 4992 3184 msn.exe 87 PID 3184 wrote to memory of 4992 3184 msn.exe 87 PID 3184 wrote to memory of 4992 3184 msn.exe 87 PID 4488 wrote to memory of 4084 4488 cmd.exe 92 PID 4488 wrote to memory of 4084 4488 cmd.exe 92 PID 4488 wrote to memory of 4084 4488 cmd.exe 92 PID 4992 wrote to memory of 2960 4992 cmd.exe 93 PID 4992 wrote to memory of 2960 4992 cmd.exe 93 PID 4992 wrote to memory of 2960 4992 cmd.exe 93 PID 2140 wrote to memory of 1052 2140 cmd.exe 94 PID 2140 wrote to memory of 1052 2140 cmd.exe 94 PID 2140 wrote to memory of 1052 2140 cmd.exe 94 PID 2896 wrote to memory of 3012 2896 cmd.exe 95 PID 2896 wrote to memory of 3012 2896 cmd.exe 95 PID 2896 wrote to memory of 3012 2896 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebae0f7205be00ee7d576833574a4553_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\msn.exe"C:\Users\Admin\AppData\Local\Temp\msn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\msn.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\msn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\msn.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
PID:1288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD509ceedd0c5af2b182284dad3fc85f0ad
SHA171115ab8b75371c9a25831087126af756d4d2b24
SHA25695f7e917a9a84ede14e0966908601ce311fca8d964a32ae43ffb79c9f5216e7f
SHA512bf3d21fb4160a84a7b3494d183c34dda90ebb977b8db088ca0032ccedeab045fb99cd86c4ee09e068470c1bbf9c53e6fbe68c153e731d373287c4d703331fd76
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8