Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 20:23
Behavioral task
behavioral1
Sample
032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe
-
Size
47KB
-
MD5
032119fe64a3795e3263bb23a6195ca1
-
SHA1
88461f9825c5e08e3d085b257c55715f6864cd78
-
SHA256
b94b43eede4c73645d5f0add91ada0285aea9e417d27db329fe457dc805cbca8
-
SHA512
5bda976ea479f13d0ef5cb32bec8db1d74ed16d07672ffa47854117c05d093b21f19bc97a9ffc7960326cef42ab8abdc5cff4537f4e8824839297c313113071f
-
SSDEEP
768:/174XD8EQ9KDb+rDYeHG8l6ktUSsDNXdidP3EDQNNPNUnWKM+W6EGh3rEq:/bEeGC3YeLtw1d+0ANUWhHFAIq
Malware Config
Signatures
-
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 122.227.164.149 Destination IP 122.227.164.149 Destination IP 210.83.80.78 Destination IP 210.83.80.78 Destination IP 210.83.80.78 Destination IP 122.227.164.149 -
resource yara_rule behavioral2/memory/948-0-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/948-3-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\staticial\dd.vbs 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4100 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134582" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40d4f8e57613db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134582" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300000e67613db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434492863" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3738296333" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000bc902f2765b6716d721f5c3dd5dcee7b7be070464636f2686611de4e3670fb77000000000e80000000020000200000009a623eb02f2f78c86061e938371c1ca5af952c19fdbce1785453a9815d521a96200000002db53374ca1240b72ceff8d448fffff8d1f3376611c709316ebf9ce1bbb3c5ab40000000da856639c74abb9dfa031da11e63fdf3c851eb94ffb52fedba8150d7d3093d9e2df36441c664f42dab275ae98babaab701a4605a8c23052c807669fbd656132a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3738296333" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3741577525" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000b79f886830b564ed09d2aa9bd8afdac4881f083ce5d583dc3f06f53899451601000000000e80000000020000200000002d5951b5462d3811a23363f10b6c408111036b940356d755e9da1e4f46bd759c20000000c4447631a0033524f1d5bde1502000c6d034f3412aa7e729ecdb1bec72ccb9a240000000ca4eb2fb8ef12c183d369710584b8b8daed5190f801f65ab7a775db820b38988f6d28f4dfdb1876cd386ec8a4aef713cc1f9dd60cf22ea71c8c0168bba6f4166 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0A71DD14-7F6A-11EF-98CC-DA2E3A28CA1B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134582" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3524 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 3524 iexplore.exe 3524 iexplore.exe 1832 IEXPLORE.EXE 1832 IEXPLORE.EXE 1832 IEXPLORE.EXE 1832 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 948 wrote to memory of 5068 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 91 PID 948 wrote to memory of 5068 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 91 PID 948 wrote to memory of 5068 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 91 PID 5068 wrote to memory of 3844 5068 cmd.exe 93 PID 5068 wrote to memory of 3844 5068 cmd.exe 93 PID 5068 wrote to memory of 3844 5068 cmd.exe 93 PID 948 wrote to memory of 4920 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 95 PID 948 wrote to memory of 4920 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 95 PID 948 wrote to memory of 4920 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 95 PID 4920 wrote to memory of 4100 4920 cmd.exe 97 PID 4920 wrote to memory of 4100 4920 cmd.exe 97 PID 4920 wrote to memory of 4100 4920 cmd.exe 97 PID 948 wrote to memory of 4568 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 98 PID 948 wrote to memory of 4568 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 98 PID 948 wrote to memory of 4568 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 98 PID 948 wrote to memory of 3524 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 99 PID 948 wrote to memory of 3524 948 032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe 99 PID 3524 wrote to memory of 1832 3524 iexplore.exe 100 PID 3524 wrote to memory of 1832 3524 iexplore.exe 100 PID 3524 wrote to memory of 1832 3524 iexplore.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\032119fe64a3795e3263bb23a6195ca1_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\cmd.execmd.exe /c c:\windows\system32\dialer.exe enable *SUBSYS_00000000*2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\windows\SysWOW64\dialer.exec:\windows\system32\dialer.exe enable *SUBSYS_00000000*3⤵
- System Location Discovery: System Language Discovery
PID:3844
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all > c:\WINDOWS\Temp\2318.tmp2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4100
-
-
-
C:\Windows\SysWOW64\WScript.ExeWScript.Exe "C:\Program Files\staticial\dd.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3524 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
467B
MD5fdf5894fca182230626f28848359ba7c
SHA1cdde473b87b1d4b0faa01ce16c753d75a39509ae
SHA2561aca5ca82e9890f5d1385752ea26d5111648d90c74d1fdd5b20505d6f67b7908
SHA512f450cb1197392bfb79e713c17de8c6869e83805d2f2c03a4ee1e0bdf43c935bf83e6f43116c9b51d702d3ebe18b9c6eb46deb7555b068623ecf0bf4b513b6446
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD55c93309a2b418ef7de0afb3ae82770c2
SHA11b9d1a371d163274c3831c764f18ce33f529e5f6
SHA256fa0eff22a494037462bc32f5f477044d28d8e7795b8e2ee7724dbe0c646f2b22
SHA51208d71c4cd9ff5df8c53b83bc24fa1ef42c3c205ed08b3a3d38fbc737a68083241c0230a942336f76d0aeb3bf7ffcdc8b8e4f3f82f9f3eba1c7e47af83802af76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD53153fab050a9c0b630030bd3711966fe
SHA143f4609154ec1c0010472295c95b7a1968e17edf
SHA2569ee5b3045d68a8058eda53de8663de9247ee1440d416a96cfb336cb5e25916ef
SHA512eea7645b5ec7c708a869ec9e175c823b1d47219b1227fca63c5fca5b4e8698d624aa8b2ba818429dd2ffaf630c6370bb854345365430033101958a6998a395ae
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1023B
MD555ca75108b9eefd9f1c32df3bc2bf76a
SHA102a84cedfbbe6a24690c04bff1d5175d850febcf
SHA256d8d049e41bd2d7451fae7cdc6e84f2294c8cffa4ab573c9ffd0b06f1299d82e6
SHA51266cb504591be2a2030678b2c7207f052262daf037f1ab926a63501daa218a9f0c9c292c9d2c6045b7db9a5fb5c210f6ea61fbbbabdf83a4c6dd4b0b74ca518ff