Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 17:39
Static task
static1
Behavioral task
behavioral1
Sample
0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe
-
Size
15KB
-
MD5
0bed5566318e9c699bfef7d0a1ff0de9
-
SHA1
c33becbe980b8822c26e21311a217673fd25f420
-
SHA256
5433923231b71ac9066ca601bbf2737e52f335b3d0fe7866afd37b90d5da398f
-
SHA512
5b4fa781ba238d63fe04b678b1d4b748cf3dba03ac858fdf84bf63c56f7d04b74d07ce07f2daf53bb09e0e31aa8e8e81ab776b2b06e021e7b19beed5c4b24654
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4lCKn97:hDXWipuE+K3/SSHgxmqN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation 0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation DEM30F3.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation DEM8770.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation DEMDD6F.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation DEM3321.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation DEM88F2.exe -
Executes dropped EXE 6 IoCs
pid Process 4900 DEM30F3.exe 3340 DEM8770.exe 4504 DEMDD6F.exe 2104 DEM3321.exe 4004 DEM88F2.exe 4008 DEMDEF1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1864 wrote to memory of 4900 1864 0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe 98 PID 1864 wrote to memory of 4900 1864 0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe 98 PID 1864 wrote to memory of 4900 1864 0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe 98 PID 4900 wrote to memory of 3340 4900 DEM30F3.exe 101 PID 4900 wrote to memory of 3340 4900 DEM30F3.exe 101 PID 4900 wrote to memory of 3340 4900 DEM30F3.exe 101 PID 3340 wrote to memory of 4504 3340 DEM8770.exe 103 PID 3340 wrote to memory of 4504 3340 DEM8770.exe 103 PID 3340 wrote to memory of 4504 3340 DEM8770.exe 103 PID 4504 wrote to memory of 2104 4504 DEMDD6F.exe 105 PID 4504 wrote to memory of 2104 4504 DEMDD6F.exe 105 PID 4504 wrote to memory of 2104 4504 DEMDD6F.exe 105 PID 2104 wrote to memory of 4004 2104 DEM3321.exe 107 PID 2104 wrote to memory of 4004 2104 DEM3321.exe 107 PID 2104 wrote to memory of 4004 2104 DEM3321.exe 107 PID 4004 wrote to memory of 4008 4004 DEM88F2.exe 109 PID 4004 wrote to memory of 4008 4004 DEM88F2.exe 109 PID 4004 wrote to memory of 4008 4004 DEM88F2.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0bed5566318e9c699bfef7d0a1ff0de9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe"C:\Users\Admin\AppData\Local\Temp\DEM30F3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\DEM8770.exe"C:\Users\Admin\AppData\Local\Temp\DEM8770.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe"C:\Users\Admin\AppData\Local\Temp\DEMDD6F.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\DEM3321.exe"C:\Users\Admin\AppData\Local\Temp\DEM3321.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe"C:\Users\Admin\AppData\Local\Temp\DEM88F2.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe"C:\Users\Admin\AppData\Local\Temp\DEMDEF1.exe"7⤵
- Executes dropped EXE
PID:4008
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b31611d780440572f018472db2ed90c1
SHA19e5a22fed1404cb64519c1aee173b17bc87e9373
SHA256e51185c0df8e11f43286c94f01b7ddb2fd280385f31918533d163a550acd4119
SHA5120214748cbe118a88c249165f1fe4a440e0ba30680abfcd287a8da0e88416a8a520ea80a849f48182180bf430d7a8ef1f8a6eb65cc862ba528d7d237192509f9e
-
Filesize
15KB
MD5e25111b23e35bb8676e45703aacc9a5e
SHA1f77f7b3f21c5b5db156987571ed303665c872989
SHA256ebfebbc99b7c984ced16268faba87aaab24b00d073a477c4a4be856286bae0ea
SHA51295e652f08c0a05d30952a8a8ab16c04a3dd7ae8cb4c0881c3826952a3d8adc3962636479229620881210b00fc155b10681c3f0f3ba6253f563c785835dd6a3e8
-
Filesize
15KB
MD551c85df738df02be8c14e36ff4990cb8
SHA1d4446aed7b984696843821d30ec971d5353fd7e9
SHA25628afe9d661cd21358afdba16fc28e61be2bd2388e175e35f89a9e70157761ef0
SHA512a3fcb075728ac3f9976e2b30325625cce8f739782e51fefd94bd5254b1bae3f19befb100f4a705c519a1529ea8365b610ed544242e90da395461d0a257040af3
-
Filesize
15KB
MD51a58b3e7481f0e18bb9cde2ccaf63334
SHA180a8ff0d527c24c9459fa3d767f713128944e712
SHA256d7b27042d94645dedbf5285a11774e271f3b9a104f1345d115e6bfb9e355cb61
SHA512d5cba86d73d43af0a77f57d55e039ede21eae151f75fcbaf14a39b88baa7cb675e7f5d921fb8820d941f4800fef7954a23f45a6dd78f939e243dbb910daa556d
-
Filesize
15KB
MD579f685a87b9c8ca5db3f95c4d1bc793a
SHA14745cd3ed28d2bd010301ffb19b27884b9a2d942
SHA2569cb6d3b2d836ba72b0743735efe6f12df292266529677222d59ee9420352eafe
SHA512526ebd6b72bc7dfb0b7d7ca88d8f721ab9e8beb7679ac15fb1797492b3a350887a7bdc9c8f6787a5e8e0f16a862c5da8acd26cdf28b63f432000dd0e508397ad
-
Filesize
15KB
MD51966a4a28f1620ca57e52c6361e08c2f
SHA16c89c37d8bd3ea53e719c44ed7c8832c4a6ecf7f
SHA25640df16ba30fe533030777b49ecf9f1b7e8faeaab20e7f005fefff1c88ab591e2
SHA5122d06cee7e3d4ccf4cd0630ecc73c809c1e73c874e341e532b2ecd0a276d6d62d988c3ffccad801f0377b00ecf1d925d9366f93128cdede3d0d3b65d3285099da