Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe
-
Size
2.8MB
-
MD5
142cce6c8e06744bc0cbd5425c309f4f
-
SHA1
16c16dcc37cf688cdbc96c9e3be126e06a4a3942
-
SHA256
3b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc
-
SHA512
b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1
-
SSDEEP
49152:/2W7bHP6W59tEEz3R/N9KZV8ora4hkz4HVXZ4:eov6Stpz35OZCj4hkz41J
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts AV Protection 2011v121.exe -
Executes dropped EXE 2 IoCs
pid Process 3104 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zc1uvD2on4m5W7E8234A = "C:\\Windows\\system32\\AV Protection 2011v121.exe" JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lUVrlONtx0c2b3n8234A = "C:\\Users\\Admin\\AppData\\Roaming\\mCekIBrzPyAuDoF\\AV Protection 2011v121.exe" AV Protection 2011v121.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\AV Protection 2011v121.exe JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe File created C:\Windows\SysWOW64\AV Protection 2011v121.exe AV Protection 2011v121.exe -
resource yara_rule behavioral2/memory/3356-5-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/3356-12-0x0000000000400000-0x0000000000913000-memory.dmp upx behavioral2/memory/3356-11-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/3104-17-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/3104-18-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/3104-24-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/2920-96-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/2920-107-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/2920-118-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/2920-139-0x0000000000400000-0x0000000000918000-memory.dmp upx behavioral2/memory/2920-150-0x0000000000400000-0x0000000000918000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AV Protection 2011v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AV Protection 2011v121.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 2312 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3356 JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe 3104 AV Protection 2011v121.exe 3104 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe 2920 AV Protection 2011v121.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3356 wrote to memory of 3104 3356 JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe 84 PID 3356 wrote to memory of 3104 3356 JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe 84 PID 3356 wrote to memory of 3104 3356 JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe 84 PID 3104 wrote to memory of 2920 3104 AV Protection 2011v121.exe 85 PID 3104 wrote to memory of 2920 3104 AV Protection 2011v121.exe 85 PID 3104 wrote to memory of 2920 3104 AV Protection 2011v121.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\AV Protection 2011v121.exeC:\Windows\system32\AV Protection 2011v121.exe 5985C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_142cce6c8e06744bc0cbd5425c309f4f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\mCekIBrzPyAuDoF\AV Protection 2011v121.exeC:\Users\Admin\AppData\Roaming\mCekIBrzPyAuDoF\AV Protection 2011v121.exe 5985C:\Windows\SysWOW64\AV Protection 2011v121.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
610B
MD5891845a5b531a311c5dab9c70c066aca
SHA1c1f5753eb31b0a93fca09412f3f933b2f3d61aae
SHA2563bbfb5ab81caa81fa836396bec96aff05529d76107144cffc2267ca4436c09c7
SHA512a0fbe9d32bbbc9d6c2645381ec503968c449e42b5b5646a28e2d12fc44e9d6ec2cc49febf4c92a038d75a307638098a67671cea6c887d242885eb49cecddea09
-
Filesize
1KB
MD57f78d527a535a70e1ac5dec146ac2827
SHA152c5fb68b73d65c168cf17778db32212eeb92855
SHA25633f3ae5e39a5823ab63e83a0290c6c4fcc6c7d5a548a61a289150a9a2d37c7a3
SHA5120bf2126fdea689247b3454fba8199097e3da97ca9f16c2b923e333eba5e199372f5b1aaeb240ff63ea6b5ccdf939d4b870ed71bb52ed780597e3b72d45a7b598
-
Filesize
2.8MB
MD5142cce6c8e06744bc0cbd5425c309f4f
SHA116c16dcc37cf688cdbc96c9e3be126e06a4a3942
SHA2563b31c8cce7b8a24dd175a06ffd23aa21a2eb37415fe8a7b0876ecb8865f6a9fc
SHA512b42b832bad0130af5b4e104883e92d87c647fd55a8ee166cf761632ab5b6ee43a0afea8622f133df73defcf86326e109d17cb523c47e9deb5964e5c5a9f805c1
-
Filesize
1KB
MD5873d3a8615c58ab97e3ab961298f44bb
SHA1f7f01fdb2204da24b5635dac70908c767529dcef
SHA256670f1b79bd41b74bb50efc4bd8e6ed3924e53596ab019fbbc8320ebc8e0d1768
SHA5122bf1ffba638413d88758706b12ec074204176ea171c41ab34f19f11df02dfaa05b10c7511dba680bf5016213bb69031367acef10fd324c0c7f65c82e28b9f8ef