Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 11:03
Static task
static1
Behavioral task
behavioral1
Sample
00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe
-
Size
24KB
-
MD5
00fc2419fd43cedf29673f4288195368
-
SHA1
17248a82c6c30f645331e48de3a7c2ec6e5aa50c
-
SHA256
9051077798743147fa45e0c0dddfdd00797b394fb6304f39da109cf0be1d5eb9
-
SHA512
9e8cdbcbcfaca04c380ca97a9b2a2d3e6196d36093f7ea69f65727969fee81205cd02f8c82f0ff8154e36c2c904f259ae64b05604c7e37030e26d1c3a9964e15
-
SSDEEP
384:E3eVES+/xwGkRKJJXlM61qmTTMVF9/q5B0:bGS+ZfbJJXO8qYoAe
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5112 tasklist.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4060 ipconfig.exe 3216 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5112 tasklist.exe Token: SeDebugPrivilege 3216 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3588 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe 3588 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3588 wrote to memory of 5108 3588 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe 86 PID 3588 wrote to memory of 5108 3588 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe 86 PID 3588 wrote to memory of 5108 3588 00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe 86 PID 5108 wrote to memory of 1252 5108 cmd.exe 88 PID 5108 wrote to memory of 1252 5108 cmd.exe 88 PID 5108 wrote to memory of 1252 5108 cmd.exe 88 PID 5108 wrote to memory of 4060 5108 cmd.exe 89 PID 5108 wrote to memory of 4060 5108 cmd.exe 89 PID 5108 wrote to memory of 4060 5108 cmd.exe 89 PID 5108 wrote to memory of 5112 5108 cmd.exe 90 PID 5108 wrote to memory of 5112 5108 cmd.exe 90 PID 5108 wrote to memory of 5112 5108 cmd.exe 90 PID 5108 wrote to memory of 5056 5108 cmd.exe 93 PID 5108 wrote to memory of 5056 5108 cmd.exe 93 PID 5108 wrote to memory of 5056 5108 cmd.exe 93 PID 5056 wrote to memory of 868 5056 net.exe 94 PID 5056 wrote to memory of 868 5056 net.exe 94 PID 5056 wrote to memory of 868 5056 net.exe 94 PID 5108 wrote to memory of 3216 5108 cmd.exe 95 PID 5108 wrote to memory of 3216 5108 cmd.exe 95 PID 5108 wrote to memory of 3216 5108 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00fc2419fd43cedf29673f4288195368_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵
- System Location Discovery: System Language Discovery
PID:1252
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4060
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD583e4c4c05997a527c0a0fdd4ad838e0d
SHA18ea5beffa460aaff6a5bc3b086bfc5311f035427
SHA256465a3a54992622448e9d0ef38ab15022d1e0a980e8d7b9b35978d8ea7acc5c2b
SHA512b40e5c2b0471234e5cb711be58ea75a07a670eadacf8d49c7c4c3bd946800435d296d85beff2899c60ce8fd5352611ac064a2a17e32c8da705f46d1a0572b229