Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 21:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe
-
Size
95KB
-
MD5
82f3b719cff14c36717975a0f02bb25c
-
SHA1
e4ebf77eae12c09f3fdecb7f665ae293b60b64a2
-
SHA256
196cfbe576c33b37214e4833dad773a1c861a778649bbd7ef280e640b2a436ed
-
SHA512
a32e82b9d62ed0c7a848ce78a943f9bea098b7b70b81ac14f92ea9f42bd07c72325317e15897d9b16d96f743864ddf9de727c96bbf280ec08792ca449b235844
-
SSDEEP
768:106R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:jR0vxn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2328 WaterMark.exe -
resource yara_rule behavioral2/memory/3676-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2328-22-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral2/memory/2328-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3676-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2328-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2328-37-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px8BC5.tmp JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4284 4588 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1803500756" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156321" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443829500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1801625748" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156321" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156321" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1801937992" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96E864CB-D454-11EF-AF2A-EE8B2F3CE00B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96EAC6DB-D454-11EF-AF2A-EE8B2F3CE00B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1803500756" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31156321" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe 2328 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2328 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 368 iexplore.exe 2380 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 368 iexplore.exe 368 iexplore.exe 2380 iexplore.exe 2380 iexplore.exe 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE 2132 IEXPLORE.EXE 2132 IEXPLORE.EXE 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3676 JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe 2328 WaterMark.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3676 wrote to memory of 2328 3676 JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe 83 PID 3676 wrote to memory of 2328 3676 JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe 83 PID 3676 wrote to memory of 2328 3676 JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe 83 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 4588 2328 WaterMark.exe 84 PID 2328 wrote to memory of 2380 2328 WaterMark.exe 89 PID 2328 wrote to memory of 2380 2328 WaterMark.exe 89 PID 2328 wrote to memory of 368 2328 WaterMark.exe 90 PID 2328 wrote to memory of 368 2328 WaterMark.exe 90 PID 368 wrote to memory of 2596 368 iexplore.exe 91 PID 368 wrote to memory of 2596 368 iexplore.exe 91 PID 368 wrote to memory of 2596 368 iexplore.exe 91 PID 2380 wrote to memory of 2132 2380 iexplore.exe 92 PID 2380 wrote to memory of 2132 2380 iexplore.exe 92 PID 2380 wrote to memory of 2132 2380 iexplore.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82f3b719cff14c36717975a0f02bb25c.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 2044⤵
- Program crash
PID:4284
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 45881⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD582f3b719cff14c36717975a0f02bb25c
SHA1e4ebf77eae12c09f3fdecb7f665ae293b60b64a2
SHA256196cfbe576c33b37214e4833dad773a1c861a778649bbd7ef280e640b2a436ed
SHA512a32e82b9d62ed0c7a848ce78a943f9bea098b7b70b81ac14f92ea9f42bd07c72325317e15897d9b16d96f743864ddf9de727c96bbf280ec08792ca449b235844
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5eec6845b257a7c8f95b25485b3666ae4
SHA179e6f675b80bc885bda844e766088a62d84ded75
SHA25670a3cfb8ce21db27ecfb8143c459eda8218c5f7a0db0945c3117cbf5c180eb6d
SHA512b6ceaabb99fb2011f9dd6ae4b59e3435c397204fcd4b3168e65d6616a85d49d13f80cd11a191e223609538d4f144103757f730c61acd21f4053bb5ecb6fb4f1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e0085636b072953fe4f8793163833585
SHA1c4cb2799bf02ce5272663cb09fff2e8cd32b6257
SHA2564bfed94247a4c640e1b946c4f0f8c14c8074e738f8fccffa2097098f7da3b5ce
SHA51290374fdc5055b3abf2383c50a8aafc12848b68a4e102e9ba6e78012767039604d9bae5fb7b6da377218dfa1f9a50556dae4c3059480fc16378a8aabbaf20abcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5c505218562d98f51cd5a1c738cf472f8
SHA1cf9986eb3b3ed0831f37fddd63867110f3cfc84e
SHA2566939b19c83f5def96ae38d15ff27283cd403204820644e9bff00283218686fac
SHA51226c629376daafc90529484f208393d5d08fe67bcb711791f373770953d87d9863e7b18620b0fe522e48a4dcc948b7d9620146472b1de59c4d1b9551ae8de487b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96E864CB-D454-11EF-AF2A-EE8B2F3CE00B}.dat
Filesize3KB
MD5496797ec52f4517cb0511e26fb54796c
SHA13dfe3abe3b04a103ac69bc35aa209e5035986812
SHA2567fbd414f081037cec62ffed569eae006762beae1ae5cb27a1ffcad650afe88dc
SHA5128851746c4c00c97a99494227d13675841d1cc884604c07c0d742d8f6f0e91f0ce5a00695b761c4c562f80c380e4285d6448d73e8bdb767faaa6b4f282b7ba26b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{96EAC6DB-D454-11EF-AF2A-EE8B2F3CE00B}.dat
Filesize5KB
MD5f11d6e7541d7286883a68e05d85fe96e
SHA136b0f4a3f6c6032dc5cd4946aeff973faea300d9
SHA25661ff2d5ae2e18725024fb9f13cfd31de78e30bba6386036c33b71103ba5a22f4
SHA512a971498c09ca2b8c482e2306eeac21d41111606d3de11af79f3dd0f6fce0b1c2ca7942d423ae790a5523677d24762caaca16036c031e6581b9d3a6a4d825323a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee