Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 13:02
Static task
static1
Behavioral task
behavioral1
Sample
0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
0acba0ac120021257125a88dbc2cdd50
-
SHA1
99b7514d72734db709c489604f6d30ee5ffff463
-
SHA256
d93bdd46966fc445cbd034548bdbb547ea4e499a7ac0eb0db04b76b13bf04fd9
-
SHA512
4314c323d3d7743970bf8477d827ee6a8a3c51cd839b2fdf28eef4e34a73efd04687e2b0a82031e08165232113c2ce0828daa537ebbc1a8766d1c7305f97158c
-
SSDEEP
49152:OZhpafFU8w7Yy2g8+vkJSk1mUlE4M8z4wNCW:Or8f68w7d2P+uSsmUltmwY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation STO.exe -
Executes dropped EXE 1 IoCs
pid Process 3328 STO.exe -
Loads dropped DLL 4 IoCs
pid Process 3328 STO.exe 3328 STO.exe 4172 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe 4172 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\STO Start = "C:\\Windows\\SysWOW64\\AMFOLL\\STO.exe" STO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\AMFOLL\AKV.exe 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\AMFOLL\ STO.exe File created C:\Windows\SysWOW64\AMFOLL\STO.exe 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe File created C:\Windows\SysWOW64\AMFOLL\STO.004 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe File created C:\Windows\SysWOW64\AMFOLL\STO.001 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe File created C:\Windows\SysWOW64\AMFOLL\STO.002 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 3328 STO.exe Token: SeIncBasePriorityPrivilege 3328 STO.exe Token: SeIncBasePriorityPrivilege 3328 STO.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3328 STO.exe 3328 STO.exe 3328 STO.exe 3328 STO.exe 2560 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4172 wrote to memory of 3328 4172 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe 84 PID 4172 wrote to memory of 3328 4172 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe 84 PID 4172 wrote to memory of 3328 4172 0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe 84 PID 3328 wrote to memory of 3980 3328 STO.exe 95 PID 3328 wrote to memory of 3980 3328 STO.exe 95 PID 3328 wrote to memory of 3980 3328 STO.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0acba0ac120021257125a88dbc2cdd50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\AMFOLL\STO.exe"C:\Windows\system32\AMFOLL\STO.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AMFOLL\STO.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
513KB
MD51c95c9f7854cb32731f65e0f234c6e31
SHA121418b452de2fc68fadcafa6db8e5dfcedbb0a8a
SHA2568c0cf83d1f1409229e75b841aa9149779e9e6b341a5b7073bea304c0dc26fe27
SHA512b7facbfd5b2e7a9d2a6ddc933ff8956b99f55a7c94957bdea6e2d80498c65569a7b74f9f75941869646557153ccd420864266c8bb856948ac7e00fc43c6eb802
-
Filesize
78KB
MD592711372be36753e32f8f405642f3c94
SHA187d93095e049f45777ec696d152a56e888569001
SHA2568fe11d43d7a1a6b5aa730d10886cf7dbebd8855c8f1aecc848e7172e3997d8b9
SHA5121100b47b236c635647d7fcd9023745b14bb512be816c8bd3c1d872549e01822a9bd3960ad774c628601dfdb36b1f99a194707560a55e32a9e68145baeb4b5676
-
Filesize
55KB
MD5e4a425e8d87b40406ff973d1a7d43429
SHA1933417e0c7896c482529c308d0315b78f5a7f1f8
SHA256cd01a5dc2415ea267529ec99c6f296642f7262f84e80cac7033d16bc7781a39e
SHA512368ea7e419e01515a492d7c20482a161f74644b0ea09ada9e2950134d64ccc4956a0d7d2dd393a7b1fd3df0f3df1ca8ef947ae58d9b4abbc8770f204fb33c6e5
-
Filesize
1KB
MD56f6ca93db8939bd4123427b457e528cf
SHA1cea25e416d51bf59aa824f84d385bba6438205c4
SHA256fae3d787c7b5e6c656848441430840a224295ce8c2d549697651500ad3caa311
SHA5125322dbd09961a271be79bb3c5002d6cc713605682a55462d1df3e29f998f392ce607f2d1f7cd47df7554dacfb89e51705a63eb301426767c7c9bb8e4711f531c
-
Filesize
1.7MB
MD5b910f5d24e399a13f6aae20535ac05b4
SHA1d062f168245e353da3ad3c2b68e830333f9f1373
SHA256046c39b67b6c83fec1ac111357e4d61340f02a6c90a32bf34e05cfeefb2c74e7
SHA5121677aae44c8ce1d447524543e252f59247c97b8d4d87a3818a7f70d7ec3c788fa97ac4bbe406c1b0a450383a515cb003e390de6baba2d167505850ed6d183274