Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
-
Size
333KB
-
MD5
14da9c0b740465e340110e7770b3964f
-
SHA1
97b0e9948e955c958f84f9eca0fc8b5956e8be37
-
SHA256
a9a2e5d1e392fde875e5bf12c25ec17c92f91346b5fbbd58a79daaec08d7a3b6
-
SHA512
d29797bab0e845284b42d05b009802e994023197a50c897729ba49443fd1055e8dd8cfd46096d6d42ac738fe75fa7f562c5e090ac82f355474e7ce45b4210524
-
SSDEEP
6144:CxF74bab59oicM835IPUdv4+n+IW+xdY2DDQdsiyfxPh4eUT/1XPGL1qmY+D527z:7ba19otM83Rv+IZTbD7iy5kThGLy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2272 ximeba.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{EECB477B-556D-BCA0-2FFD-6323E2087921} = "C:\\Users\\Admin\\AppData\\Roaming\\Hycoet\\ximeba.exe" ximeba.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1192 set thread context of 3696 1192 14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ximeba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe 2272 ximeba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2272 1192 14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe 89 PID 1192 wrote to memory of 2272 1192 14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe 89 PID 1192 wrote to memory of 2272 1192 14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe 89 PID 2272 wrote to memory of 2996 2272 ximeba.exe 50 PID 2272 wrote to memory of 2996 2272 ximeba.exe 50 PID 2272 wrote to memory of 2996 2272 ximeba.exe 50 PID 2272 wrote to memory of 2996 2272 ximeba.exe 50 PID 2272 wrote to memory of 2996 2272 ximeba.exe 50 PID 2272 wrote to memory of 3056 2272 ximeba.exe 51 PID 2272 wrote to memory of 3056 2272 ximeba.exe 51 PID 2272 wrote to memory of 3056 2272 ximeba.exe 51 PID 2272 wrote to memory of 3056 2272 ximeba.exe 51 PID 2272 wrote to memory of 3056 2272 ximeba.exe 51 PID 2272 wrote to memory of 3100 2272 ximeba.exe 52 PID 2272 wrote to memory of 3100 2272 ximeba.exe 52 PID 2272 wrote to memory of 3100 2272 ximeba.exe 52 PID 2272 wrote to memory of 3100 2272 ximeba.exe 52 PID 2272 wrote to memory of 3100 2272 ximeba.exe 52 PID 2272 wrote to memory of 3460 2272 ximeba.exe 56 PID 2272 wrote to memory of 3460 2272 ximeba.exe 56 PID 2272 wrote to memory of 3460 2272 ximeba.exe 56 PID 2272 wrote to memory of 3460 2272 ximeba.exe 56 PID 2272 wrote to memory of 3460 2272 ximeba.exe 56 PID 2272 wrote to memory of 3556 2272 ximeba.exe 57 PID 2272 wrote to memory of 3556 2272 ximeba.exe 57 PID 2272 wrote to memory of 3556 2272 ximeba.exe 57 PID 2272 wrote to memory of 3556 2272 ximeba.exe 57 PID 2272 wrote to memory of 3556 2272 ximeba.exe 57 PID 2272 wrote to memory of 3772 2272 ximeba.exe 58 PID 2272 wrote to memory of 3772 2272 ximeba.exe 58 PID 2272 wrote to memory of 3772 2272 ximeba.exe 58 PID 2272 wrote to memory of 3772 2272 ximeba.exe 58 PID 2272 wrote to memory of 3772 2272 ximeba.exe 58 PID 2272 wrote to memory of 3860 2272 ximeba.exe 59 PID 2272 wrote to memory of 3860 2272 ximeba.exe 59 PID 2272 wrote to memory of 3860 2272 ximeba.exe 59 PID 2272 wrote to memory of 3860 2272 ximeba.exe 59 PID 2272 wrote to memory of 3860 2272 ximeba.exe 59 PID 2272 wrote to memory of 3928 2272 ximeba.exe 60 PID 2272 wrote to memory of 3928 2272 ximeba.exe 60 PID 2272 wrote to memory of 3928 2272 ximeba.exe 60 PID 2272 wrote to memory of 3928 2272 ximeba.exe 60 PID 2272 wrote to memory of 3928 2272 ximeba.exe 60 PID 2272 wrote to memory of 4052 2272 ximeba.exe 61 PID 2272 wrote to memory of 4052 2272 ximeba.exe 61 PID 2272 wrote to memory of 4052 2272 ximeba.exe 61 PID 2272 wrote to memory of 4052 2272 ximeba.exe 61 PID 2272 wrote to memory of 4052 2272 ximeba.exe 61 PID 2272 wrote to memory of 4132 2272 ximeba.exe 62 PID 2272 wrote to memory of 4132 2272 ximeba.exe 62 PID 2272 wrote to memory of 4132 2272 ximeba.exe 62 PID 2272 wrote to memory of 4132 2272 ximeba.exe 62 PID 2272 wrote to memory of 4132 2272 ximeba.exe 62 PID 2272 wrote to memory of 2108 2272 ximeba.exe 64 PID 2272 wrote to memory of 2108 2272 ximeba.exe 64 PID 2272 wrote to memory of 2108 2272 ximeba.exe 64 PID 2272 wrote to memory of 2108 2272 ximeba.exe 64 PID 2272 wrote to memory of 2108 2272 ximeba.exe 64 PID 2272 wrote to memory of 4624 2272 ximeba.exe 76 PID 2272 wrote to memory of 4624 2272 ximeba.exe 76 PID 2272 wrote to memory of 4624 2272 ximeba.exe 76 PID 2272 wrote to memory of 4624 2272 ximeba.exe 76 PID 2272 wrote to memory of 4624 2272 ximeba.exe 76 PID 2272 wrote to memory of 2456 2272 ximeba.exe 78
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3056
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Roaming\Hycoet\ximeba.exe"C:\Users\Admin\AppData\Roaming\Hycoet\ximeba.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaf15f02d.bat"3⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff85c6cd198,0x7ff85c6cd1a4,0x7ff85c6cd1b02⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1820,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:32⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2400,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:82⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:82⤵PID:4792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD528e1a1771b18ea4648c2b24c357554c3
SHA179cdc9ac079355bd1712e9d732a70d12062dc78c
SHA2563e7e2a3cb4ae11d71e5fb8fcddb583dceaa544820db80e582633177a8f0e6d64
SHA51230e56399e63aa7bc4fc2cf4209ccb596406f0f95318bc72a11ffc8d5df715db36ed18bde2acf5a66b54bb361e09dde05cbbb900d2fb1304f5fb25f04a3f7db9d
-
Filesize
333KB
MD58bdc3aa93a262421f384b6364778fe38
SHA13044c24ae0b8fadf9b63e63e677529ebd8356e51
SHA2565b0b8c6c7580caa093f728b6b7c884bd59d6b2a0e5ead79c067b89bba4725719
SHA5125868970be755976ca4b1f223de67cb12338edf4930cc98907d8cab1f8dd6de3d567d4a996e40867a8c564155b1f1adf26c18b60b757abefd2d5056b1e3bad392