Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe
-
Size
1.5MB
-
MD5
64faf7f0def69d994bf0e5c5a0358d49
-
SHA1
e0c7a65dff26c70d02e5880c1b931fd5faf39f10
-
SHA256
d71b135996dadb5f83321c26562bda351aae22c2425970747d3b5631e7cbb08c
-
SHA512
c7494a3ce4164ed36e42a2301d5575d20fa42b99bd828648deaeaf0514681f98419c86570cada538f01280a5ae6b3c7a89677f39cb730b620acee606f523a7de
-
SSDEEP
49152:VefQxfVKFD3sIIMy+qlhKRe0qnwwT/E+Yzyu:QIVEcUReoxTd
Malware Config
Signatures
-
flow pid Process 27 3176 G-PROS~1.EXE -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation G-PROS~1.EXE -
Executes dropped EXE 4 IoCs
pid Process 3440 UYKSUI~1.EXE 1236 Crack.exe 3176 G-PROS~1.EXE 4388 Crack.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Crack.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 17 sites.google.com 15 sites.google.com -
resource yara_rule behavioral2/files/0x0008000000023c5b-5.dat upx behavioral2/memory/3440-7-0x0000000000400000-0x000000000090D000-memory.dmp upx behavioral2/memory/3440-8-0x0000000000400000-0x000000000090D000-memory.dmp upx -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\measure.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\common.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\base.dll Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\measure.dll Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\base.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\kh20 Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\gps.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\gps.dll Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\evll.dll Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kh20 Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll Crack.exe File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\common.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\evll.dll Crack.exe File created C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll Crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1824 3440 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UYKSUI~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language G-PROS~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Crack.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3664 reg.exe 4340 reg.exe 4964 reg.exe 1564 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3176 G-PROS~1.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3440 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 85 PID 2672 wrote to memory of 3440 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 85 PID 2672 wrote to memory of 3440 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 85 PID 2672 wrote to memory of 1236 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 89 PID 2672 wrote to memory of 1236 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 89 PID 2672 wrote to memory of 1236 2672 JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe 89 PID 1236 wrote to memory of 3176 1236 Crack.exe 90 PID 1236 wrote to memory of 3176 1236 Crack.exe 90 PID 1236 wrote to memory of 3176 1236 Crack.exe 90 PID 3176 wrote to memory of 3956 3176 G-PROS~1.EXE 91 PID 3176 wrote to memory of 3956 3176 G-PROS~1.EXE 91 PID 3176 wrote to memory of 3956 3176 G-PROS~1.EXE 91 PID 3176 wrote to memory of 2796 3176 G-PROS~1.EXE 92 PID 3176 wrote to memory of 2796 3176 G-PROS~1.EXE 92 PID 3176 wrote to memory of 2796 3176 G-PROS~1.EXE 92 PID 2796 wrote to memory of 3664 2796 cmd.exe 95 PID 2796 wrote to memory of 3664 2796 cmd.exe 95 PID 2796 wrote to memory of 3664 2796 cmd.exe 95 PID 3956 wrote to memory of 4340 3956 cmd.exe 96 PID 3956 wrote to memory of 4340 3956 cmd.exe 96 PID 3956 wrote to memory of 4340 3956 cmd.exe 96 PID 3176 wrote to memory of 2784 3176 G-PROS~1.EXE 97 PID 3176 wrote to memory of 2784 3176 G-PROS~1.EXE 97 PID 3176 wrote to memory of 2784 3176 G-PROS~1.EXE 97 PID 3176 wrote to memory of 1344 3176 G-PROS~1.EXE 98 PID 3176 wrote to memory of 1344 3176 G-PROS~1.EXE 98 PID 3176 wrote to memory of 1344 3176 G-PROS~1.EXE 98 PID 2784 wrote to memory of 4964 2784 cmd.exe 101 PID 2784 wrote to memory of 4964 2784 cmd.exe 101 PID 2784 wrote to memory of 4964 2784 cmd.exe 101 PID 1344 wrote to memory of 1564 1344 cmd.exe 102 PID 1344 wrote to memory of 1564 1344 cmd.exe 102 PID 1344 wrote to memory of 1564 1344 cmd.exe 102 PID 3176 wrote to memory of 4036 3176 G-PROS~1.EXE 103 PID 3176 wrote to memory of 4036 3176 G-PROS~1.EXE 103 PID 3176 wrote to memory of 4036 3176 G-PROS~1.EXE 103 PID 1236 wrote to memory of 4388 1236 Crack.exe 105 PID 1236 wrote to memory of 4388 1236 Crack.exe 105 PID 1236 wrote to memory of 4388 1236 Crack.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 5683⤵
- Program crash
PID:1824
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE3⤵
- Detected google phishing page
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\melt1.bat4⤵
- System Location Discovery: System Language Discovery
PID:4036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3440 -ip 34401⤵PID:1940
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5119ac17a9ff4f3b1e1a7a310668b2902
SHA1e35e52a52e7e437c812efc13abacd9ca50c504c9
SHA256477fdae70db1b4fa00ebcc5351389303b6283325133b74f2c70a00067cb73d92
SHA51252c703a8bba555754a7125370b0bb6c41a39e289672e2c48d9d589bd07143f70f3056cc04bb6dbf20c0bb667fb6105101ba136d56c3e6673cb5696b7df2240d1
-
Filesize
12KB
MD5ef7b9a68ff6f39725d0fe5a393b8a5b5
SHA145b877c185587b23557869ec1bcce36548e95d08
SHA2563627c93ae4b6ceaa11d14c850d7abf4f50f6ebe9c7fd3f3583876014ca141b60
SHA512403d980a08dabff771eb95b0e38949cabd1b42fdad9c7983938523c93d2c4ccd2890de6eee0add5aef5d8c2750711c5968eb0c613f7f086bd651f2e70273f5bb
-
Filesize
1.4MB
MD52302eace8e12fa460b14c2e6764ac952
SHA1e5caeb93f82243eec0d8f7fdb15efb3edc8c7386
SHA256b19b5b4e514e71c32861a2c70d8c5f07a2c83af2f5c36e1b41e1a26c856c88da
SHA512105676ae255d64101cb1aa7b2c6ceeb8301d5b12ae66d7542c99126c96b7606ae4a4af8ce9f07fb1ef746350f50e9b66d5d2eaa2c1cf946a2f3c3b713e8abf8c
-
Filesize
32KB
MD54f597e155aa341b31c256c70f67a097b
SHA1c32cd541d971e6f823b085e0bea2579e5764a77f
SHA256694ce71682d85d6c56c6ca20f9d9ff8e558166ec228602d2a6cd60ac197401e7
SHA5126fc82a0959e42bf53d82491a565f8dbfa7a52f1e9b8bc98d5725d5fcc4dc2e377cf7a9adcb60d86fd3d816948bafc5439016f6728cd79d3426ee0586cd554af6
-
Filesize
863KB
MD50c2450793d726f341f6870737a5d8437
SHA114106a326bf8b088c4b4c756dcb0adc6b2e2635c
SHA256cd3fa12a3a450bffa8b8b1d3652073b2936960a6129df35c7ab37fabd7eae4f6
SHA512ca634f978c982b7414c5925913bb0079f4d89e8783970b49cd2bd1f62ca9f6a44ce6d901bbfe5145c2e7d989d18b020d28723b069dc2a3a14656fd09a86a0412
-
Filesize
863KB
MD59f58363d60a4a95aa9aedbc524d315d0
SHA18ff2c023521babb322696e928d7d7edf093a3a20
SHA256a61b0a185d31a6ec2eee965046780f9afb6a8d4c528d8f92ed7ddb51d31d5f90
SHA512927961e06b0b12c3c3101b19b74e9b5430bff25bf096e37f83c8ba5646c6e90f6302822586605fa9173713f7a6275ee269dfe5ff11ec602666ac2e14e2f4239d
-
Filesize
203B
MD590245e810be808bf8c77944cecd52b2e
SHA1a6e903e06279ef15250c9303f5620e4620b5b38a
SHA256e003882084d68483bf76bdc4d21cd4f2e853aa9c000f165e16ebef3c60509f76
SHA512c7c790293584ac991ccede4b60e669e5544815c1b1de469d70c1334aa565919d425c78217970d482b92c4325fb1c777860b132ec0453823f824dfc9641db6f32