Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 22:18
Behavioral task
behavioral1
Sample
0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe
-
Size
75KB
-
MD5
0374bfc6cefb51372f0cf35c85a1954f
-
SHA1
4616136887017e06b535fca473791aad41cd37ed
-
SHA256
6a2f8e349196980720e9a8cb6cfca994f139af11d40999389f6f28cc06f5098b
-
SHA512
fa2fa703a64113a98e244fade0285ea024a818ee17556949e0cae495c610f6d5352c51da0c97371a9e557c2d72371d5b69488ad7778824e409535a6ec49055b6
-
SSDEEP
1536:6wKKva3L9Q3N1s/B/gjHAl4wS1rILJrA4f4bAgL+CSGRQbg:6wLvab9GHsJ/54wSt0HCVLFl
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8970.lnk explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 1224 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 1224 explorer.exe 1224 explorer.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\o: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\w: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\k: explorer.exe File opened (read-only) \??\n: explorer.exe File opened (read-only) \??\v: explorer.exe File opened (read-only) \??\z: explorer.exe File opened (read-only) \??\p: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\q: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\r: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\v: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\l: explorer.exe File opened (read-only) \??\r: explorer.exe File opened (read-only) \??\g: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\s: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\y: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\h: explorer.exe File opened (read-only) \??\q: explorer.exe File opened (read-only) \??\x: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\w: explorer.exe File opened (read-only) \??\y: explorer.exe File opened (read-only) \??\h: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\u: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\e: explorer.exe File opened (read-only) \??\o: explorer.exe File opened (read-only) \??\p: explorer.exe File opened (read-only) \??\s: explorer.exe File opened (read-only) \??\u: explorer.exe File opened (read-only) \??\i: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\j: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\k: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\n: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\j: explorer.exe File opened (read-only) \??\t: explorer.exe File opened (read-only) \??\e: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\z: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\g: explorer.exe File opened (read-only) \??\i: explorer.exe File opened (read-only) \??\m: explorer.exe File opened (read-only) \??\x: explorer.exe File opened (read-only) \??\l: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened (read-only) \??\t: 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4008-0-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/files/0x000c000000023ba7-3.dat upx behavioral2/memory/4008-27-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-34-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-38-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-40-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-42-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-44-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-46-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-48-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-50-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-52-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-54-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-56-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-58-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-60-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/1224-62-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\uiui8.dll explorer.exe File created C:\Program Files (x86)\Common Files\uiui8.dll explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe 1224 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeLoadDriverPrivilege 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1224 explorer.exe Token: SeDebugPrivilege 1224 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1224 explorer.exe 1224 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4008 wrote to memory of 1224 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe 85 PID 4008 wrote to memory of 1224 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe 85 PID 4008 wrote to memory of 1224 4008 0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0374bfc6cefb51372f0cf35c85a1954f_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD50374bfc6cefb51372f0cf35c85a1954f
SHA14616136887017e06b535fca473791aad41cd37ed
SHA2566a2f8e349196980720e9a8cb6cfca994f139af11d40999389f6f28cc06f5098b
SHA512fa2fa703a64113a98e244fade0285ea024a818ee17556949e0cae495c610f6d5352c51da0c97371a9e557c2d72371d5b69488ad7778824e409535a6ec49055b6
-
Filesize
17KB
MD590b1f2289c3121611de1b47a54803e38
SHA18c1a78e9e777072aa60c365feb94b4eaee93ee8a
SHA25628267ad6e645fd72dcb1a218b709c85bcbe34ebb5468f9533b04ff34d7647e0c
SHA512216423e0647d4e40df227cb1bc6b6efddd2e84f5e9a58048219d7e59ec61f46e43e5e47bc4ea4485ef7af6282052113b0e68b73655c3245ec48d826fb8d905d6
-
Filesize
449B
MD5ae342318b288719168082ba3f26d8e33
SHA10464e616edc87b677de3e514a5e5baf696ac92ec
SHA256331939a00efce9cab0dc7e690b7be7de0e3d2378f7ea48640bc80ead177332ec
SHA5122e7d224df58bdc39395208fae51726c6d7eff76752c1fdc746da3294b159c1b6fbc9440354ff935c41b2d18d6734cfcc6c18fb726b78fc7d73d870a32cebda34