Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 08:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe
-
Size
328KB
-
MD5
86daa0df8dd18935c669053501fadd63
-
SHA1
5ab286b5162cc6c370469d63630af2e53fd4954a
-
SHA256
a940d3774ed7e75dffec1e70b0711392019a26cf63a02a52ee740047030a0118
-
SHA512
913b0b5c60dbf83dacd4b998e936aabfdfd5fe9e75ddb1f3f079cfd51865dc33ac701ed8b539a8406641a672f051bdec45a5a37b40f7fdbb21c198de1fa50cbd
-
SSDEEP
6144:YTQCHoNiMWOiuxgL19g0IrWX9SC+pQZ1Ai1TK+DKEWHMSyrRdT:IhbMWOiUgDgXW3+paqiJDKLMdd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 720 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\server\\server.exe" JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\server = "C:\\Users\\Admin\\AppData\\Roaming\\server\\server.exe" JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 4468 720 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1724 wrote to memory of 4224 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 82 PID 1724 wrote to memory of 4224 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 82 PID 1724 wrote to memory of 4224 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 82 PID 4224 wrote to memory of 4580 4224 csc.exe 84 PID 4224 wrote to memory of 4580 4224 csc.exe 84 PID 4224 wrote to memory of 4580 4224 csc.exe 84 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85 PID 1724 wrote to memory of 720 1724 JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c-1fxxkj.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B85.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9B84.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:4580
-
-
-
C:\Users\Admin\AppData\Roaming\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exeC:\Users\Admin\AppData\Roaming\JaffaCakes118_86daa0df8dd18935c669053501fadd63.exe2⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 123⤵
- Program crash
PID:4468
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 720 -ip 7201⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c6f11280d15fc9b3e40ed66b82f8e2ae
SHA1cc2fdc71772f2f91c75ef925542951d8d3441c71
SHA2566c52b7408fd088db5c3413251c692e05a0a1a0a1351835a8fce3f4e46a9bc38a
SHA51273bc4e624cfe794e292975c7015f597b8364c71935ac6841e491fe000a8b26713c65ba0c38c1ac8d935ecc9e7e82c32c091c663dc8b29a49b28d4cbf281e5384
-
Filesize
5KB
MD550dc8800e0a7f437446d92d0752d11ee
SHA1ef988b63f9f8955b6a277031ce851b977bf7286b
SHA256aab94b5efcb9f922b275718d1362dadc271bbc457ee2b60000c12310b4be11c5
SHA512f88b3fc4cec5b0cfc1c86206704be8eb3e292e3df1ed016145fb811d9ea42f519bafe83d93228894299abd38e2c91bf1053b12a7f3759f969974caf861e252bb
-
Filesize
6KB
MD5d89fdbb4172cee2b2f41033e62c677d6
SHA1c1917b579551f0915f1a0a8e8e3c7a6809284e6b
SHA2562cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383
SHA51248941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed
-
Filesize
652B
MD53dc55516db899999b69f542f177da2d0
SHA164c0004714b3af825ba26aada0b9101a25128cc6
SHA25672faced19ea435054755c5d3a1e0792939e751d067ba6f3b2773958a1bd79cb6
SHA512d835c1464d8845bf923f1ad93057952669dd2e05e716eb51eefe17f6feb9081baaa950cdd3cf697931a043a1a37b75723d8a04455809279f2d316d5b9ad9949f
-
Filesize
5KB
MD5cb25540570735d26bf391e8b54579396
SHA1135651d49409214d21348bb879f7973384a7a8cb
SHA256922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743
SHA512553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080
-
Filesize
206B
MD5449f908cc53b30a38dc92355a9bffeac
SHA103a1ce5f101752bd15ab5769f5785f8953299b86
SHA2564ca48d4229288246ae26b52fa091c6333f6897a38e5369d1030a8a2806882559
SHA51235dbbf6b6049b4d8d719009512a1f5fe9287f74a6929e13f2bf7e1b907c496d1c22be22d133d1cde433413f33d78a83d21cba742804ee97d3a1368dbc44328ea