Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
114923912de5c2f125812a476724ce51_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
114923912de5c2f125812a476724ce51_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
114923912de5c2f125812a476724ce51_JaffaCakes118.exe
-
Size
14KB
-
MD5
114923912de5c2f125812a476724ce51
-
SHA1
1bc16556b93ec6118d47a761098ebde9de4db657
-
SHA256
a3af1cb9e96111f1b22cf571faee8b8b8853649375f3c3866605178c03054e1a
-
SHA512
361afadb639d7f8c6115e5a815992dfb00188d07f36a750e7b8e72ea33699bbf4686f50cb41ddace6eb7abda46740dc0f5dfaadf5f94ea17adf79b9db2c454c6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY0xEp:hDXWipuE+K3/SSHgxm0Cp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM213F.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM81DD.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMDA1F.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM32AF.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM8CB6.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 114923912de5c2f125812a476724ce51_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 3176 DEM213F.exe 2372 DEM81DD.exe 3152 DEMDA1F.exe 3596 DEM32AF.exe 996 DEM8CB6.exe 2100 DEME5D2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2128 wrote to memory of 3176 2128 114923912de5c2f125812a476724ce51_JaffaCakes118.exe 103 PID 2128 wrote to memory of 3176 2128 114923912de5c2f125812a476724ce51_JaffaCakes118.exe 103 PID 2128 wrote to memory of 3176 2128 114923912de5c2f125812a476724ce51_JaffaCakes118.exe 103 PID 3176 wrote to memory of 2372 3176 DEM213F.exe 107 PID 3176 wrote to memory of 2372 3176 DEM213F.exe 107 PID 3176 wrote to memory of 2372 3176 DEM213F.exe 107 PID 2372 wrote to memory of 3152 2372 DEM81DD.exe 109 PID 2372 wrote to memory of 3152 2372 DEM81DD.exe 109 PID 2372 wrote to memory of 3152 2372 DEM81DD.exe 109 PID 3152 wrote to memory of 3596 3152 DEMDA1F.exe 111 PID 3152 wrote to memory of 3596 3152 DEMDA1F.exe 111 PID 3152 wrote to memory of 3596 3152 DEMDA1F.exe 111 PID 3596 wrote to memory of 996 3596 DEM32AF.exe 113 PID 3596 wrote to memory of 996 3596 DEM32AF.exe 113 PID 3596 wrote to memory of 996 3596 DEM32AF.exe 113 PID 996 wrote to memory of 2100 996 DEM8CB6.exe 115 PID 996 wrote to memory of 2100 996 DEM8CB6.exe 115 PID 996 wrote to memory of 2100 996 DEM8CB6.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\114923912de5c2f125812a476724ce51_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\DEM213F.exe"C:\Users\Admin\AppData\Local\Temp\DEM213F.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"C:\Users\Admin\AppData\Local\Temp\DEM81DD.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe"C:\Users\Admin\AppData\Local\Temp\DEMDA1F.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe"C:\Users\Admin\AppData\Local\Temp\DEM32AF.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe"C:\Users\Admin\AppData\Local\Temp\DEM8CB6.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe"C:\Users\Admin\AppData\Local\Temp\DEME5D2.exe"7⤵
- Executes dropped EXE
PID:2100
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD506d8cece62939908437637fea966c759
SHA18b0c2ae1f82bef68778926dff312598871a4812b
SHA2561d8c24f0cf153e639cbc7f101ec6ae23ab5729fb9d5d2ffc2ade1cdf99a3e4ec
SHA5123219282ee165b620115a3fe6dd2b55cb595cfae3f92085d92eb49a6c6bec7aef589ef446f902e739a91396a97f39c13b3b118e61688ee14d8d77f8c304c474df
-
Filesize
15KB
MD5ad957d8aa394eb4e2300b00d85f1769d
SHA16afc2af9c0691de482a5b605b8f01778a6431a68
SHA2562625ec9c518e16d62afa230775257390538550e002a1e8245eaf0b7c8427f7d8
SHA512587c454cc35b247bbe0d90003ac154722e3312b2007c86502ee3cd2910aee9089447439af698e86ea798eaeef468dcc3abedb4e4db3483a60c16afd4f3da11b7
-
Filesize
15KB
MD507208def1b7c01ff9d24abf8ae9a88c3
SHA18dce02cde3a96a4313ce4c66d72cbbbde88e6deb
SHA2565a153fda7361f3218ae24816fd76581d6c17512fcef0e264f37905c9da0458be
SHA5123ff8d15ea314a09b57c5f39e1101f63c35c39f54cf4f5b0675d32b91f9878fa8218b24104c9e451e9a19bf42edacf75e27fbc8238d9ff1b4366fc693e9f1fbe4
-
Filesize
15KB
MD51926acc5afc1ed841b5b05a189f92c53
SHA157c2094a36f28db854c4a91c41626b181fce3f36
SHA256cfbfdfdc798747b45f3a2bd11a67414d598817739c00738d1460f5ef61e0b219
SHA512efbf3b79bbc9e8c59b3ed3ccc7e15982ee1a3fea4b0065944085d1665302922414369b313fd527015531c1b22a95fdafbd5ab65297618be18c86d14d1616c5a1
-
Filesize
15KB
MD5785f1c0d2f4998af44c352da25966487
SHA14e53de2a326c7fec99d6d9910b6fc891a544b630
SHA256b9e81fd334a3838583e73b1a2c203d74ff42dd28140abb659e939102cfc79fee
SHA512fc7e6278d87c1eac7535da25b55e48f801c7f2de346ea334f8d28612f9c306cc59a94ecb8fac36b3f01a29eac483614a63082cb417519021f37cb179054f368e
-
Filesize
15KB
MD547ec214204fe0363be6d3695b8bd7c18
SHA11d10dbb5e7763d34bf6f38fd4dd7052e1b595026
SHA25606c57abf9fdc618599d2242870aa90bb90e6ab04c502defe1601acfc7d7cd96e
SHA512db95692e243fc75e43d32c29e63f615a2be03ddff2c1ae23d53884a09e99ed8536e9a603594441b4b52841fcbda44c5ca606d43d72f882fd2b0bedc85e8577ad