Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
General
-
Target
da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe
-
Size
177KB
-
MD5
da2bb5747bdd2bacb8fa7eee350f74e7
-
SHA1
b12c7be6bfb1afa62466c9c9dba89810858f1cbd
-
SHA256
dcc5635f01c83c51b7882a03354cba49028d28d27b18f3d75baa29ce09bb050a
-
SHA512
1b2e5736a52ba254c00823acf1456e1273ddd5702f0a0ee564df8335f2664d5d4c1e0ba22bbbef400c31a15937221db80025517e5a2f7af8bb4c74079245cf45
-
SSDEEP
3072:yQI+RTXJM0oYA3+5E8yFBv68ijflhR0pkV9GAO6uPyiWtvM3I:yqKk+b8MxaLlIpG9GRPrWtviI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Deletes itself 1 IoCs
pid Process 2848 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2848 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 Au_.exe 2848 Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
resource yara_rule behavioral2/memory/4468-1-0x0000000002380000-0x00000000033B0000-memory.dmp upx behavioral2/memory/4468-3-0x0000000002380000-0x00000000033B0000-memory.dmp upx behavioral2/memory/4468-8-0x0000000002380000-0x00000000033B0000-memory.dmp upx behavioral2/memory/2848-45-0x0000000006790000-0x00000000077C0000-memory.dmp upx behavioral2/memory/2848-50-0x0000000006790000-0x00000000077C0000-memory.dmp upx behavioral2/memory/2848-47-0x0000000006790000-0x00000000077C0000-memory.dmp upx behavioral2/memory/2848-59-0x0000000006790000-0x00000000077C0000-memory.dmp upx behavioral2/memory/2848-68-0x0000000006790000-0x00000000077C0000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x000a000000023b93-29.dat nsis_installer_1 behavioral2/files/0x000a000000023b93-29.dat nsis_installer_2 behavioral2/files/0x000a000000023b94-33.dat nsis_installer_1 behavioral2/files/0x000a000000023b94-33.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 2848 Au_.exe 2848 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Token: SeDebugPrivilege 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4468 wrote to memory of 792 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 9 PID 4468 wrote to memory of 800 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 10 PID 4468 wrote to memory of 60 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 13 PID 4468 wrote to memory of 2964 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 51 PID 4468 wrote to memory of 3024 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 52 PID 4468 wrote to memory of 2636 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 53 PID 4468 wrote to memory of 3436 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 56 PID 4468 wrote to memory of 3564 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 57 PID 4468 wrote to memory of 3740 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 58 PID 4468 wrote to memory of 3840 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 59 PID 4468 wrote to memory of 3904 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 60 PID 4468 wrote to memory of 3992 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 61 PID 4468 wrote to memory of 4112 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 62 PID 4468 wrote to memory of 2316 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 64 PID 4468 wrote to memory of 1800 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 76 PID 4468 wrote to memory of 3116 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 81 PID 4468 wrote to memory of 2848 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 83 PID 4468 wrote to memory of 2848 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 83 PID 4468 wrote to memory of 2848 4468 da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe 83 PID 2848 wrote to memory of 792 2848 Au_.exe 9 PID 2848 wrote to memory of 800 2848 Au_.exe 10 PID 2848 wrote to memory of 60 2848 Au_.exe 13 PID 2848 wrote to memory of 2964 2848 Au_.exe 51 PID 2848 wrote to memory of 3024 2848 Au_.exe 52 PID 2848 wrote to memory of 2636 2848 Au_.exe 53 PID 2848 wrote to memory of 3436 2848 Au_.exe 56 PID 2848 wrote to memory of 3564 2848 Au_.exe 57 PID 2848 wrote to memory of 3740 2848 Au_.exe 58 PID 2848 wrote to memory of 3840 2848 Au_.exe 59 PID 2848 wrote to memory of 3904 2848 Au_.exe 60 PID 2848 wrote to memory of 3992 2848 Au_.exe 61 PID 2848 wrote to memory of 4112 2848 Au_.exe 62 PID 2848 wrote to memory of 2316 2848 Au_.exe 64 PID 2848 wrote to memory of 1800 2848 Au_.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da2bb5747bdd2bacb8fa7eee350f74e7_JaffaCakes118.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2316
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD569e2b8ae22dc47742aa03b652ed86ddc
SHA1855a6c671e914c8506556e25eb2485a54c88e37f
SHA256d23e5f68811f78196840be19e53ae0e1eb50b05d3b69e175a151a7919b560358
SHA5127d0e6ab6306bab9a501918ce2c8f9f9c28042413e2cd2763a80fe65c1a8eb82c9acbfc4a6b45334bec9a628abe80859418878d1071a1eb7e2c1582f08cff72e0
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
177KB
MD5da2bb5747bdd2bacb8fa7eee350f74e7
SHA1b12c7be6bfb1afa62466c9c9dba89810858f1cbd
SHA256dcc5635f01c83c51b7882a03354cba49028d28d27b18f3d75baa29ce09bb050a
SHA5121b2e5736a52ba254c00823acf1456e1273ddd5702f0a0ee564df8335f2664d5d4c1e0ba22bbbef400c31a15937221db80025517e5a2f7af8bb4c74079245cf45
-
Filesize
257B
MD5c77dea89d363b17ef9d48b1aa4c5270b
SHA1d34cd8a32b892a1f06c947df12b9a40f9f367972
SHA256d764c39c2525ab30b0ab99730d246d142fff3856b159be47c59a9e0c32fe3c43
SHA512a4eeaf0b64e5225a0110d5c899fa6ea2a19375d0f5b7ddcc09ae14a86522bc7982886f696662ca3e0ef0ff26e272011e68f3a12c112ed901ccb85d2b2cf15c35