Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe
-
Size
112KB
-
MD5
fffba43aa01e74b7a9728fb3b6569286
-
SHA1
33bad9771371c1b32f5bc5c3e61dfa698700dded
-
SHA256
aeabcc4d23610f86474108cf7fe198e168e20e922a9921012b233adf1703db30
-
SHA512
3c920edecdb843787669c7b0d6a6414dcd44777250b72e8d331267482657b512e2ad07b69754f00d3125d28c81bb9d1b75caf389dbe94fe3dd46c12b560878a6
-
SSDEEP
3072:9LE3511sotrKLMuv2zyIMwmeVaH73uPes:9LEKojyIPB23uP5
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys DS_Server.exe File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys serverqb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2264 DS_Server.exe 4724 serverqb.exe 3160 130.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\serverqb.exe DS_Server.exe File created C:\Windows\SysWOW64\serverqb.exe serverqb.exe File created C:\Windows\SysWOW64\serverqb.exe DS_Server.exe -
resource yara_rule behavioral2/files/0x0009000000023464-5.dat upx behavioral2/memory/2264-11-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/files/0x000800000002346c-20.dat upx behavioral2/memory/2264-32-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3160-29-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3160-39-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3160-41-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral2/memory/3160-45-0x0000000000400000-0x000000000048D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DS_Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language serverqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 130.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2264 DS_Server.exe Token: SeIncBasePriorityPrivilege 4724 serverqb.exe Token: 33 1960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1960 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe 3160 130.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3160 130.exe 3160 130.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2264 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 83 PID 1864 wrote to memory of 2264 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 83 PID 1864 wrote to memory of 2264 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 83 PID 1864 wrote to memory of 3160 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 85 PID 1864 wrote to memory of 3160 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 85 PID 1864 wrote to memory of 3160 1864 fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe 85 PID 2264 wrote to memory of 4724 2264 DS_Server.exe 86 PID 2264 wrote to memory of 4724 2264 DS_Server.exe 86 PID 2264 wrote to memory of 4724 2264 DS_Server.exe 86 PID 2264 wrote to memory of 3672 2264 DS_Server.exe 87 PID 2264 wrote to memory of 3672 2264 DS_Server.exe 87 PID 2264 wrote to memory of 3672 2264 DS_Server.exe 87 PID 4724 wrote to memory of 3680 4724 serverqb.exe 88 PID 4724 wrote to memory of 3680 4724 serverqb.exe 88 PID 4724 wrote to memory of 3680 4724 serverqb.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fffba43aa01e74b7a9728fb3b6569286_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\DS_Server.exe"C:\Users\Admin\AppData\Local\Temp\DS_Server.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\serverqb.exe"C:\Windows\system32\serverqb.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\serverqb.exe > nul4⤵
- System Location Discovery: System Language Discovery
PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\DS_SER~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
-
C:\Users\Admin\AppData\Local\Temp\130.exe"C:\Users\Admin\AppData\Local\Temp\130.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x324 0x3201⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5e9a7a4078232b3aec8d1b0e58e09b1ee
SHA1cbff227299facfa4283a80f33dceda929dfa5e27
SHA2561482f5b621e23c7d404fa348b66c5831bcf25565553179723cd831f85d6f44e7
SHA5122b1a31cfce1d5bc78d7522ecc9b9f0e8750d5a71f498b5ced69d7b4c1442c6a4430f407080927591df187cd6a7219d596ba195a44d66de1c35d7749fd7204f12
-
Filesize
17KB
MD52642506650ac5ada29e46e24e6bb3d2d
SHA1d922ac0148a343ffe6d20910f3f049a97da13900
SHA25690677d892b05e80f6eddfc6cca1cae2b6a069c00008229942b0020e06b56df2f
SHA5127ce91d07a53e028acbcbe4259fde8c4958833a9ae5610eaca7c05c65253a5eb0a931a3e3352d966ba9a9bdc59f7f3566a6c992a4abd4a9b727f79261fb9a1a30
-
Filesize
4KB
MD5d058dd1757e857d2cf1afcadce95a521
SHA13d5563ce8e7a11110d238b25711a176a63bfb703
SHA256a0cd51ff93d087654b5ceccc279df8eb5e9783a530a3bca83a06c7f82025885d
SHA512748937d6ae01ddbe97470754b73563c04e492d7980a8e0bbb9ed7838e85c8cff912d087204325664c3051aeba15606d23b9b507b211a6369e7ecc7bda175da44