Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe
-
Size
396KB
-
MD5
3d11e305c3f94306192feff8aa587b4d
-
SHA1
b732d4389d153701226ce382ecdc62fd2d2890e5
-
SHA256
e0c611206e7afa94caf267cb42cb7c772e1a1955a43506128ed143b93772fd22
-
SHA512
2343f429209b3e272d32a035f907a73e51b6930949614d4629cd669431bb8bde15791b06fc79af4def2e64ada7f33f461aaf6aef1b8e26fab2171f21cdd09a39
-
SSDEEP
6144:WBiIchoPgj9eXVcOcOb0yL8yvImI7UVbVTRg23gyTiLBS+lWlE9YlxwT:giIciKeZcOAyLbvImTVbVTuktiR9WwT
Malware Config
Signatures
-
Executes dropped EXE 20 IoCs
pid Process 2540 crss.exe 4972 crss.exe 3152 crss.exe 4384 crss.exe 2224 crss.exe 4140 crss.exe 4028 crss.exe 2716 crss.exe 1720 crss.exe 4776 crss.exe 636 crss.exe 4056 crss.exe 4592 crss.exe 1680 crss.exe 4392 crss.exe 2252 crss.exe 2256 crss.exe 4680 crss.exe 2428 crss.exe 4988 crss.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe File created C:\Windows\SysWOW64\crss.exe crss.exe File opened for modification C:\Windows\SysWOW64\crss.exe crss.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 1604 set thread context of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 2540 set thread context of 4972 2540 crss.exe 86 PID 3152 set thread context of 4384 3152 crss.exe 90 PID 2224 set thread context of 4140 2224 crss.exe 94 PID 4028 set thread context of 2716 4028 crss.exe 97 PID 1720 set thread context of 4776 1720 crss.exe 99 PID 636 set thread context of 4056 636 crss.exe 101 PID 4592 set thread context of 1680 4592 crss.exe 103 PID 4392 set thread context of 2252 4392 crss.exe 105 PID 2256 set thread context of 4680 2256 crss.exe 107 PID 2428 set thread context of 4988 2428 crss.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1604 wrote to memory of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 1604 wrote to memory of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 1604 wrote to memory of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 1604 wrote to memory of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 1604 wrote to memory of 4740 1604 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 83 PID 4740 wrote to memory of 2540 4740 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 85 PID 4740 wrote to memory of 2540 4740 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 85 PID 4740 wrote to memory of 2540 4740 3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe 85 PID 2540 wrote to memory of 4972 2540 crss.exe 86 PID 2540 wrote to memory of 4972 2540 crss.exe 86 PID 2540 wrote to memory of 4972 2540 crss.exe 86 PID 2540 wrote to memory of 4972 2540 crss.exe 86 PID 2540 wrote to memory of 4972 2540 crss.exe 86 PID 4972 wrote to memory of 3152 4972 crss.exe 89 PID 4972 wrote to memory of 3152 4972 crss.exe 89 PID 4972 wrote to memory of 3152 4972 crss.exe 89 PID 3152 wrote to memory of 4384 3152 crss.exe 90 PID 3152 wrote to memory of 4384 3152 crss.exe 90 PID 3152 wrote to memory of 4384 3152 crss.exe 90 PID 3152 wrote to memory of 4384 3152 crss.exe 90 PID 3152 wrote to memory of 4384 3152 crss.exe 90 PID 4384 wrote to memory of 2224 4384 crss.exe 93 PID 4384 wrote to memory of 2224 4384 crss.exe 93 PID 4384 wrote to memory of 2224 4384 crss.exe 93 PID 2224 wrote to memory of 4140 2224 crss.exe 94 PID 2224 wrote to memory of 4140 2224 crss.exe 94 PID 2224 wrote to memory of 4140 2224 crss.exe 94 PID 2224 wrote to memory of 4140 2224 crss.exe 94 PID 2224 wrote to memory of 4140 2224 crss.exe 94 PID 4140 wrote to memory of 4028 4140 crss.exe 96 PID 4140 wrote to memory of 4028 4140 crss.exe 96 PID 4140 wrote to memory of 4028 4140 crss.exe 96 PID 4028 wrote to memory of 2716 4028 crss.exe 97 PID 4028 wrote to memory of 2716 4028 crss.exe 97 PID 4028 wrote to memory of 2716 4028 crss.exe 97 PID 4028 wrote to memory of 2716 4028 crss.exe 97 PID 4028 wrote to memory of 2716 4028 crss.exe 97 PID 2716 wrote to memory of 1720 2716 crss.exe 98 PID 2716 wrote to memory of 1720 2716 crss.exe 98 PID 2716 wrote to memory of 1720 2716 crss.exe 98 PID 1720 wrote to memory of 4776 1720 crss.exe 99 PID 1720 wrote to memory of 4776 1720 crss.exe 99 PID 1720 wrote to memory of 4776 1720 crss.exe 99 PID 1720 wrote to memory of 4776 1720 crss.exe 99 PID 1720 wrote to memory of 4776 1720 crss.exe 99 PID 4776 wrote to memory of 636 4776 crss.exe 100 PID 4776 wrote to memory of 636 4776 crss.exe 100 PID 4776 wrote to memory of 636 4776 crss.exe 100 PID 636 wrote to memory of 4056 636 crss.exe 101 PID 636 wrote to memory of 4056 636 crss.exe 101 PID 636 wrote to memory of 4056 636 crss.exe 101 PID 636 wrote to memory of 4056 636 crss.exe 101 PID 636 wrote to memory of 4056 636 crss.exe 101 PID 4056 wrote to memory of 4592 4056 crss.exe 102 PID 4056 wrote to memory of 4592 4056 crss.exe 102 PID 4056 wrote to memory of 4592 4056 crss.exe 102 PID 4592 wrote to memory of 1680 4592 crss.exe 103 PID 4592 wrote to memory of 1680 4592 crss.exe 103 PID 4592 wrote to memory of 1680 4592 crss.exe 103 PID 4592 wrote to memory of 1680 4592 crss.exe 103 PID 4592 wrote to memory of 1680 4592 crss.exe 103 PID 1680 wrote to memory of 4392 1680 crss.exe 104 PID 1680 wrote to memory of 4392 1680 crss.exe 104 PID 1680 wrote to memory of 4392 1680 crss.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1168 "C:\Users\Admin\AppData\Local\Temp\3d11e305c3f94306192feff8aa587b4d_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1152 "C:\Windows\SysWOW64\crss.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1120 "C:\Windows\SysWOW64\crss.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1120 "C:\Windows\SysWOW64\crss.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1124 "C:\Windows\SysWOW64\crss.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1124 "C:\Windows\SysWOW64\crss.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1120 "C:\Windows\SysWOW64\crss.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1120 "C:\Windows\SysWOW64\crss.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4392 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1120 "C:\Windows\SysWOW64\crss.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4680 -
C:\Windows\SysWOW64\crss.exeC:\Windows\system32\crss.exe 1124 "C:\Windows\SysWOW64\crss.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\crss.exeC:\Windows\SysWOW64\crss.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD53d11e305c3f94306192feff8aa587b4d
SHA1b732d4389d153701226ce382ecdc62fd2d2890e5
SHA256e0c611206e7afa94caf267cb42cb7c772e1a1955a43506128ed143b93772fd22
SHA5122343f429209b3e272d32a035f907a73e51b6930949614d4629cd669431bb8bde15791b06fc79af4def2e64ada7f33f461aaf6aef1b8e26fab2171f21cdd09a39