Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe
-
Size
15KB
-
MD5
0f1804021eb96820702f0ffcb3c72015
-
SHA1
d8ef69dc7c0a89fe11a29e3c2c77fcf60ea0e473
-
SHA256
6ed630061d546991665f8961d29275bd9b69f91214cf4a6a0415e9cc092049f8
-
SHA512
297e22ed028301c4afd23cad60e852bd9d05e6c696f32260ab712bd7e7c130284d25b9a573840eb4a8a7a0129c64def3a0c2e22990677012ede1b14f7670dd18
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYyhb:hDXWipuE+K3/SSHgxmyhb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEM5B01.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEMB3DF.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEMBC3.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEM63D6.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation DEMBC27.exe -
Executes dropped EXE 6 IoCs
pid Process 3220 DEM5B01.exe 436 DEMB3DF.exe 1344 DEMBC3.exe 1772 DEM63D6.exe 3644 DEMBC27.exe 4400 DEM12C3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3280 wrote to memory of 3220 3280 0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe 103 PID 3280 wrote to memory of 3220 3280 0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe 103 PID 3280 wrote to memory of 3220 3280 0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe 103 PID 3220 wrote to memory of 436 3220 DEM5B01.exe 106 PID 3220 wrote to memory of 436 3220 DEM5B01.exe 106 PID 3220 wrote to memory of 436 3220 DEM5B01.exe 106 PID 436 wrote to memory of 1344 436 DEMB3DF.exe 109 PID 436 wrote to memory of 1344 436 DEMB3DF.exe 109 PID 436 wrote to memory of 1344 436 DEMB3DF.exe 109 PID 1344 wrote to memory of 1772 1344 DEMBC3.exe 111 PID 1344 wrote to memory of 1772 1344 DEMBC3.exe 111 PID 1344 wrote to memory of 1772 1344 DEMBC3.exe 111 PID 1772 wrote to memory of 3644 1772 DEM63D6.exe 113 PID 1772 wrote to memory of 3644 1772 DEM63D6.exe 113 PID 1772 wrote to memory of 3644 1772 DEM63D6.exe 113 PID 3644 wrote to memory of 4400 3644 DEMBC27.exe 115 PID 3644 wrote to memory of 4400 3644 DEMBC27.exe 115 PID 3644 wrote to memory of 4400 3644 DEMBC27.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f1804021eb96820702f0ffcb3c72015_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe"C:\Users\Admin\AppData\Local\Temp\DEM5B01.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe"C:\Users\Admin\AppData\Local\Temp\DEMB3DF.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC3.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe"C:\Users\Admin\AppData\Local\Temp\DEM63D6.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC27.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe"C:\Users\Admin\AppData\Local\Temp\DEM12C3.exe"7⤵
- Executes dropped EXE
PID:4400
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:81⤵PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5bf22fa3d78bc0dc5d5e11cf2e82ea2b0
SHA1873ee5ba1178a13995c4de6e3e635cc763dfae4e
SHA2561458ca63a744f189bbbee3e9293fb4fa2c5e78bfee91bcb212bc70fb0b5ded88
SHA51277138627171de4a57233c6a5474fcc474d6f0842343c9c16e0019a9a20576fc3950f028b0dc258126733a7a216c558fdbda87d34c4ea5a8c5c07469119eef5df
-
Filesize
15KB
MD583c9c1b97243cb1e3afce5ae2105b117
SHA15fbddf26f30894e00996fe45ea1dc240d554ce6c
SHA256fa235d8dfa3e1107c7cce48dd7d7a80d20b1f60df744cbf7e78bd59bfae2d997
SHA51257a3d5ac610e3cb7c64382801aa37e071f0557d8c57d7c438ba8a666a4a759c35ee95610fb523ec581f51b9a36ed2e960f78e6a78225a5c447a83a0aa4eba25e
-
Filesize
15KB
MD50950bbc41f99160a8b62536dbd1d93c8
SHA1ccbd693a5d9889c73adc86ad8118a2c8db12f52f
SHA2569ce7e2d520fd2633c383e0da04796d62fcf5254d64700522232e75e5842249e8
SHA512674213586bee21a9d0f1cb5a2a7480a7c9d3ca832591b28af7d227833d5b0d4a162a60e6a1ecf24364ddd0bb7f7ceae4f7f87599abfebb4a7e69a5a1e16045c1
-
Filesize
15KB
MD51afffb005e82830e786a0d557dc1c039
SHA1585cc124ca510ecdc12e68be51accaf0c78e9304
SHA256e92a52bfa06ef58df5407ba73f1907fd9fef0b3ccebfaa51b859f1e226fbc416
SHA512f3bfa2f1009493714dd71787b75763f887ab9c68ef693d6dbe7174be903d60d9803b0c219d76522dc6234836eed451f2125c76afa6093d8f7b50c006b7b0d447
-
Filesize
15KB
MD53275e5ec2b25271e4ed47573b362d01a
SHA1a05ec8b01a4791e0db2a397eab33469106502cc4
SHA256959e9f09d71e3ca26b5c2b46d484cd54ffa1f61adfd03eea61998197dccb9d30
SHA51226e0d1c76a7cdadd40b5ab5f1149f6939a88d5a9c1845aed19d094c9b0799b1d1a5d387ddb92cc037fc8981071621ad9d8e8b4e2d0fac3e8cba8d62953df7f8e
-
Filesize
15KB
MD5aea8625b39a2352bbdc8c41e8e9db302
SHA1bfca055e6f6aaa2c0f65b85576cbb436295d52b6
SHA256b68fee8afaa1524ae575d653a982195aeb918ea8cf4b83e8514e07e496a05d04
SHA51297b5a86dd6bc398ca2883e2818a320f3f27deeb5b472a7f0cd4b793bd9510b2ef07036e833ba0d5b9fdc6553b0be4f440fcd479557b7209a238c5a48c30dcd5a