Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe
-
Size
15KB
-
MD5
1691b284f4f743299f55fb45a1430800
-
SHA1
4ff517a23e180ee9f7e3bd4052258f956ca7e2ca
-
SHA256
1193547d3340b7ceef433b720dd96d2ea4b493030a9494626472f3a8958dfee6
-
SHA512
75e0879d77e09cdcd086a0b9a0af2e6f692f402074eeb0893d428f3a6a2bbeccc0df16dac0ca533b8eda3b27ad6172f1665b2c4adaa8d3ede5d70a77893f2c37
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvcPay8K:hDXWipuE+K3/SSHgxmkClK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DEM371D.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DEM8D8A.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DEME36B.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DEM3989.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation DEM8F89.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe -
Executes dropped EXE 6 IoCs
pid Process 624 DEM371D.exe 4868 DEM8D8A.exe 1536 DEME36B.exe 3784 DEM3989.exe 4320 DEM8F89.exe 1964 DEME5A8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3900 wrote to memory of 624 3900 1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe 97 PID 3900 wrote to memory of 624 3900 1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe 97 PID 3900 wrote to memory of 624 3900 1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe 97 PID 624 wrote to memory of 4868 624 DEM371D.exe 100 PID 624 wrote to memory of 4868 624 DEM371D.exe 100 PID 624 wrote to memory of 4868 624 DEM371D.exe 100 PID 4868 wrote to memory of 1536 4868 DEM8D8A.exe 102 PID 4868 wrote to memory of 1536 4868 DEM8D8A.exe 102 PID 4868 wrote to memory of 1536 4868 DEM8D8A.exe 102 PID 1536 wrote to memory of 3784 1536 DEME36B.exe 104 PID 1536 wrote to memory of 3784 1536 DEME36B.exe 104 PID 1536 wrote to memory of 3784 1536 DEME36B.exe 104 PID 3784 wrote to memory of 4320 3784 DEM3989.exe 106 PID 3784 wrote to memory of 4320 3784 DEM3989.exe 106 PID 3784 wrote to memory of 4320 3784 DEM3989.exe 106 PID 4320 wrote to memory of 1964 4320 DEM8F89.exe 108 PID 4320 wrote to memory of 1964 4320 DEM8F89.exe 108 PID 4320 wrote to memory of 1964 4320 DEM8F89.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1691b284f4f743299f55fb45a1430800_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\DEM371D.exe"C:\Users\Admin\AppData\Local\Temp\DEM371D.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe"C:\Users\Admin\AppData\Local\Temp\DEM8D8A.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\DEME36B.exe"C:\Users\Admin\AppData\Local\Temp\DEME36B.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\DEM3989.exe"C:\Users\Admin\AppData\Local\Temp\DEM3989.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe"C:\Users\Admin\AppData\Local\Temp\DEM8F89.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe"C:\Users\Admin\AppData\Local\Temp\DEME5A8.exe"7⤵
- Executes dropped EXE
PID:1964
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD573f2a45c73c9d3b473719856cc2d5731
SHA1b3008d8ee91c3b0e23e317bdf1905c3682e772ca
SHA256535ea657232cbdb7082619c847401e7feb0d7b861a198c81cdb5bbf81cc961ed
SHA5127cccebebce59d0bc60ef80051135d9b6b8819d2b1fb673cd068726dfe626c31c87391b02c17c99bab2887dc6390e665279298086cff795bb80ae56cd49e07bca
-
Filesize
15KB
MD54bb75be2f8f2c3633d573fd9314facf3
SHA10a8487943dd01727fdc938b93aeb4cad6db32992
SHA2567dd6388bca08a3ba26d8c599d940e7358b19fbbad53f5bf6cd3ea2fd4f9f5ec8
SHA51255c653d012e489f933094759907c994182bcc62c73be5d5f20c6be62fa844e598f5ea19534da209be544282a088c73d44d94e2d983bb75ee0179971d946af887
-
Filesize
15KB
MD58c4c89157cf524fc3b65a182a6716829
SHA1f66692365f70dda8f0ddedc681750bac84300934
SHA2563e0a6769b0b7e090f2412e75ef655c977749175b58c0d55efa1e886e316954d8
SHA512bc6fabe334061de5694246252caac7a00d95ee7666c6f85f2fa3642f2602a0a65d12dbaab9b9a4d9967e58ca31b42c1dc416a84e56818b064af1a1bddc25b0bc
-
Filesize
15KB
MD57dae0426a4fbc0cf9528b1f875f03650
SHA1a82ae500d90acf44ab521cf1ed7191b3ec2f2b08
SHA256aa6eb74abcc0a5a8ac5876c448e8206f33e93f906c88bd576e3d73283664fe28
SHA5122ec7860b91ea35976835ad72cf1eca0cbe9cb30b1a3dc2a689f9f83a0c802a4ec0b425973d23009eca04415b2f05f25ce62944aebe5a9509f7b80ce7160264c2
-
Filesize
15KB
MD5bcb5b3937331b1a7e1c249e28d65737e
SHA1bbee3138ec243bca584767cf496ff2484e6e3c51
SHA2564b321816ba5bfc5b139cbe334067c38bb4fb7665f84ed524ca963c5d9e272a57
SHA512c82a5ce2e004c59269e8d5c20517881c165e564f187bec82a77df3a4ff362e1cb5eed40ddfe4b14ab6e103c637c10c2e15d4c6b9c0823d380ce6a845332f8f7a
-
Filesize
15KB
MD5a7ffbdd3dcb0dafb5b6893bc9da45e4f
SHA12f315379c8e103da6b73210bdd836d825ae097eb
SHA256936af202c73f6e73e0e82540796b3a528f5a000e08aca3ad3fff4843e81558b5
SHA5126a2c6f1bb70ca42d826f36107c733f82ff54a6c701e516e2565c8af8ee6ab14ea649bd0de62986df4cf66bfb635dcb75180f3c5966767762df951e10cfa32564