Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240802-en
General
-
Target
09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
09f8745d138f25e807860f9f7bb16d0e
-
SHA1
4f3d20d1b0b745d0857121d4036fd1b95ddd722e
-
SHA256
357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca
-
SHA512
f732e6a8068033fa282abe3447c891e2276f711f805ae6f110f830d1f933c1181011b975c33335b4596d220b9650e0478d4f73d3f37f333e75a11b0f02c27d7c
-
SSDEEP
24576:0ty/AMkERzF1fcEdN+ZQVZXBM348cBscckNvLSbgpMSLz+jJtdtvgw:0LEH1dfVF2I8uscckdLSbgpMk+t1gw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 272 PING.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 272 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2448 wrote to memory of 2192 2448 09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 30 PID 2192 wrote to memory of 1304 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 32 PID 2192 wrote to memory of 1304 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 32 PID 2192 wrote to memory of 1304 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 32 PID 2192 wrote to memory of 1304 2192 internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe 32 PID 1304 wrote to memory of 272 1304 cmd.exe 34 PID 1304 wrote to memory of 272 1304 cmd.exe 34 PID 1304 wrote to memory of 272 1304 cmd.exe 34 PID 1304 wrote to memory of 272 1304 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso5EC.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso5EC.tmp/fallbackfiles/'2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\29742.bat" "C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:272
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544B
MD55eeb678c4a0fbe0b0248965d41de41d7
SHA1e1a7432ff355ca554040df9d2e83b30598155043
SHA256a4d6d7c391eb7ef5c47bbfa0d63d7e5a095104e66541f80eb350dfca15f68aec
SHA512b7bf567ba142d84711d7e3f74b3e2e3db80869cfe8a9c9c6fdd66cbfe38a0f99593b0a1350d3f7ff90986ae964f8e5d52f7b935f1856ef50c2ab57b1b27ef89c
-
Filesize
544B
MD5076042e936cb1de29be028cba28d7d1b
SHA10e7351689b78e014af7d7253bcc3b6aa91ea0130
SHA25600df9fd740ebcfe47b8cb51078aa568159259ba6ad05f11410a34dec9379a1bb
SHA51253d760e14804086052835e48804b44e6fbea88aaa2a4162c9ece3ab525da44f46e0fadfdfaca7b64a5dba82b4d551b203dd83e291a9c31bf82e326617c2efe8b
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt
Filesize2KB
MD56ee01b03e1b83a8a816aecf779eafcb4
SHA13239248c79673bc76d028c21f42327ac751e224f
SHA25617c4775f6659d17cef3b18dd8bfd42b692530873664044da6b455f0696f9cdad
SHA512db556c7e5ef455e293ffed696cc60f7ed7a4bdf3f9c699ce13e7a6b3d530a121839e14d6311cc879cab75288a53af3f13c7a0f9eb9680f60d1a065787ab9d54a
-
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt
Filesize3KB
MD50684682e47f14ab0248441b446b39e12
SHA1ee9a9e73b7f2b4175d529c0a93099668cdf59290
SHA2564e23e052d5e90c428a7e729263e508544ba855687c91ebb60558c06dba6cc2a5
SHA5129d0994750d2e27ea2faba42e0e339bda19c4472f48002013db5df958e8f93fe6ec9aa095db90d3bcffd9ce999f55ffff657a77d332414a11f8b171bd7e981a2b
-
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt
Filesize5KB
MD5a5f6d53c9c8423f0f7a9529d1697b9a8
SHA1c0e2a007036088ea376b35c264fa147cc9c507e1
SHA25650f392b70239d5e04b61d8ec0bf7d36b7b6650d3b463cd6003c2ae4bf74b3fc3
SHA512df997023d4dc92e5ee108e75694279718cabc4bc14fabb94d08b76a9d93834b61661ebc3d99588e10ed47d909585631ba998695558409f61a368f49237f6ded0
-
Filesize
46KB
MD534102968432410a7c1422156df08891e
SHA14e4ada0209086f98bde9c98f03d7da8183257923
SHA2568eae57c5db0f73e3513b7c0f39e1cac0bd32af78eb9e512b326739e577775675
SHA512fd9e95ecd450297399f054af823e160be13aa4158816c35e6c5d265ea8bec978fcf357efcd3dd6b4832f56d705a3a43297b4a45e2e785b010e653c546d9f5af8
-
Filesize
142KB
MD53edca5be7ec88fc61ac0df56e9bbee9b
SHA18d57c8ba39ccd3fe6360a959090d988105768a21
SHA256a5e9740a4389950d2b36a8d9eb9c5e3c611400a1b29c17e80ceac2e6af50e6a9
SHA512057330fbc93ef117789e5bb61a4c7fa348374e8769e0a8cdc53349e5e9382a75fc7c05a335698ac10169e0a1013ce801afa29421994bbfd3db570cd9c997bb7f
-
Filesize
608KB
MD51bd69b138c5b77bfc11ef8ef18263a1f
SHA10ef81f61b5ff325a5e47e96ff044a5ca2b211bf6
SHA256ca20e9421c499324bf51a41bb156dc4ebf466b2f279e27059079a07fca0ca8b1
SHA512e4ee339aefd47529e5f290a4685d2268d189123112e338bd5b397defd9b8679ee3445d2688def20d59fc5f7098055357348406fc1a91decf158bfa5367220e7d
-
Filesize
208KB
MD575e10bbc4a869080b47c151c05e83777
SHA1df12169fec3c26da438733ecfc8aad6cbb437eab
SHA25683f1801408b2592036c221c7cdfd661bc852c06433fa77ce719926bc8195c5f3
SHA512de850e0a4912aa187869d67d3be0cf87afa2981e8f33e9ab43081b8ceb85ff6780e890483a03df32b3c35409a37cd7909b0d317e3abd9eee9a26dacfbebf6a61
-
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_icon.ico
Filesize31KB
MD530430957e675f266e56dac20764c081c
SHA118f71953953787795e0b0b32bcc367d23a67b5f5
SHA2565f281671e0eba3728c0f2d46f05721042c9ea98f5d02791438dbfdfa3e15dba6
SHA5123a888725349d1b1b9313b62c1666dce55a2132b1d3b4fa9f05bf65c5bb966ebe47ccb42c9f00dded0d0858c4658085b6fbbed601e30edaddc5dcec78266a8fcb
-
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_splash.png
Filesize129KB
MD586c6e4408d9a14285fe4148f0d4695b6
SHA1a974a8b1225635490176fe02893dc0395f22bcc5
SHA256f69c403c12436a163a4f8324562fe45c000f6b6eaf3fe940591b5f296086663a
SHA5122ab52a54371a34db5aa9c4b2cf1fa60b56e6ca06db1ecf9f6e5d79ce2dd446eb833779e6cacee00e8fb9909882d3ad5495af464b4df4c8d13f73d6935a091ff6
-
\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Filesize1.7MB
MD52ee2b50b5e4ca76e33244569b962c139
SHA12dc786b5da140ba79e6fd6288e8f6c34e0d8dab3
SHA256d47132aafe3e47d4296266854582c3056bc527efcf2982652bd33e2108255b44
SHA512cba8d1c5f9ee4102310acf8cb1990952611ccacb82d2ec7fc76741e0651a1569090d09af3408e45c79362d8a22d0643549a38115750de3536edad44241dd2f11