Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2025, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe
-
Size
1.2MB
-
MD5
8a2bdb5e601deb704b795bc5eebf45da
-
SHA1
0c75f944e504dd81065c3c0ada2c025211dd5aa0
-
SHA256
e7f547a1c4b5a322747bcbfcef945029971c0228c1bbf0cf43daf995c7da8b51
-
SHA512
a3d30dc192ba36097914af922beb90f87519e528c2e655cab20d715e50bd958ea81121e65d4efa110f2876444a5955a8adb0e313faff74b22e9594fc4f38066a
-
SSDEEP
24576:onzBtBeOxAQmXWRFJSjfUEBgddrL4/S5po1U3DBl2rs+rrv1xKAsRKsu:o9tB/rmmUsZVL4q3Bl2rs+fKo
Malware Config
Signatures
-
flow pid Process 27 5068 system.exe 27 5068 system.exe 27 5068 system.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe -
Executes dropped EXE 2 IoCs
pid Process 4580 temp.exe 5068 system.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 sites.google.com 18 sites.google.com -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6AA22DA63AEAA61826C0D7C76455F33_BE04BFFDC626E991C9EEB9B7D35CF4B8 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_A4910F65FB301FC460D3A6054A2253EC system.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies system.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system.exe temp.exe File created C:\Windows\uninstal.bat temp.exe File created C:\Windows\system.exe temp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language temp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe -
Modifies data under HKEY_USERS 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" system.exe Key created \REGISTRY\USER\.DEFAULT\Software system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings system.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ system.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows system.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" system.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" system.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P system.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" system.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing system.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4580 temp.exe Token: SeDebugPrivilege 5068 system.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5068 system.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4828 wrote to memory of 4580 4828 JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe 86 PID 4828 wrote to memory of 4580 4828 JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe 86 PID 4828 wrote to memory of 4580 4828 JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe 86 PID 4580 wrote to memory of 4344 4580 temp.exe 88 PID 4580 wrote to memory of 4344 4580 temp.exe 88 PID 4580 wrote to memory of 4344 4580 temp.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a2bdb5e601deb704b795bc5eebf45da.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\temp.exe"C:\Users\Admin\AppData\Local\Temp\temp.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
-
C:\Windows\system.exeC:\Windows\system.exe1⤵
- Detected google phishing page
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
799KB
MD52cb734d6e80d55630dbefbdb58a9cfe2
SHA16f66e6ba349448a107720312f8a21043389034d3
SHA256959ed1fcdf9476c97a155f5f2cc349b9fc2aa19e7e9d5c6dc2974d8a895cc030
SHA5128a5dacb4c1c042e029c7ad2d8e05fced89c17bcc0d0a6952417272927ddd9ecfe4147b11798dce0b8bfc52aa5d55d7bee598fa510b262cb13896dba88271d1b1
-
Filesize
134B
MD5d844dfb0f997e4d32cdb6dafa4d7717a
SHA1eaa7b33e52129f946e1aca0ce3cf45a7ce36b5ec
SHA2560f38f96239893411209b61471bb7c2412a8637ce0e5cbf9cc3c23e14ee44759a
SHA512fdeeeda586bf1d748ab962bd579ab3ef69a59ab9306bd3b29663dd496bba31e0a20b62e6076c08bfef44ad821e9dd69e88a29a56d427cbba532947cf91947be5