Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe
-
Size
1.9MB
-
MD5
8c450ef4b459456b4b037dbb321619a5
-
SHA1
3a84b8c946a16accb03cb173c87ab465fbbd1194
-
SHA256
4e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be
-
SHA512
8a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e
-
SSDEEP
49152:ydOjNXMu8VaWg/IbwsYRxUGXET3pbjX6JyytOdsi3:IOjtMaWZUxUfT35X06si
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe -
Executes dropped EXE 2 IoCs
pid Process 3028 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AH6dWK8fR9TwUeI8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe" JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XONtxA0uc2b3n5Q8234A = "C:\\Users\\Admin\\AppData\\Roaming\\eBrzPNycAuDoFpH\\Cloud AV 2012v121.exe" Cloud AV 2012v121.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe Cloud AV 2012v121.exe -
resource yara_rule behavioral2/memory/4356-2-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/4356-8-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/4356-9-0x0000000000400000-0x0000000000914000-memory.dmp upx behavioral2/memory/3028-12-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/3028-18-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/1424-88-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/1424-131-0x0000000000400000-0x0000000000917000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 1044 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4356 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 3028 Cloud AV 2012v121.exe 3028 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe 1424 Cloud AV 2012v121.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4356 wrote to memory of 3028 4356 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 86 PID 4356 wrote to memory of 3028 4356 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 86 PID 4356 wrote to memory of 3028 4356 JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe 86 PID 3028 wrote to memory of 1424 3028 Cloud AV 2012v121.exe 92 PID 3028 wrote to memory of 1424 3028 Cloud AV 2012v121.exe 92 PID 3028 wrote to memory of 1424 3028 Cloud AV 2012v121.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Cloud AV 2012v121.exeC:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c450ef4b459456b4b037dbb321619a5.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Roaming\eBrzPNycAuDoFpH\Cloud AV 2012v121.exeC:\Users\Admin\AppData\Roaming\eBrzPNycAuDoFpH\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1424
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908B
MD54eeed78419fb6410bd42cbf7d8ea247a
SHA1c9a618a5da5c022dd3a76417f94ed5f6bd737aba
SHA256ac8fc99207f1ea3a1408fcdc2d16b4cead6729f9ac7f30218fd1b5af20a753a8
SHA512d7ced5f25cba770a0fb5db7913d158d2af2609d9498136aaa68cce7f41c635bd1b7101eafc98e668026e31261d4381d601a91bcdb00b37cfe696fe46d69113ed
-
Filesize
1KB
MD5d714fe807a8f786bf8f56406bdd6ee85
SHA1292e4a3a333c0680d2e91d3bcefd39235060af68
SHA25679cc0cc5dc6b9ff05862b40c1aa7b952df37ae92fee2262afd834f901c740c1b
SHA512835fc07d5888c71b25b3492aa23d4464cb3bdc8df5f517c5470d52c6d0671fcd69af682179d02886170acba000480150bde9fd956c9dd80c1a765ada555e9d49
-
Filesize
1.9MB
MD58c450ef4b459456b4b037dbb321619a5
SHA13a84b8c946a16accb03cb173c87ab465fbbd1194
SHA2564e398a335174371bee9882621b81bef435d9b8c013bd934b9f2f956703b8c7be
SHA5128a11f93a2bf39272c7e768ff636a36a4faa2d424aad6588b59d188355e23627a2107fb58f77f5520caeed48138b0683d6397951426c6e0aaedcae42c6986558e
-
Filesize
1KB
MD550ab0dd716dd66ad0c3eb5fb63f2f118
SHA1bd9641078264b2135d3b3b0007c98f977d057960
SHA2561f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517
SHA51224c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6