Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2024, 21:18
Static task
static1
Behavioral task
behavioral1
Sample
5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js
Resource
win10v2004-20240226-en
General
-
Target
5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js
-
Size
24KB
-
MD5
5e6114efe56d6a4cb3b9efaeeb18a2c1
-
SHA1
6ff4182105261e965ad8f3b373c98a9cf7b4d1bb
-
SHA256
e1c16f7c77280f307b671baaf7409b6ca7772bcddec3d3bd2b667034df320e27
-
SHA512
b4f0ccbee4c3e891f085ef6108d36b2f65c7efb3d01bb28ed848072bb25426d831df24f7651a41067b34311b1e2b30c381ba456ca8f2a7535e8b687ac702d105
-
SSDEEP
384:Jm3uw3bKnVw/cj2i3TvskXpuYno5w9FW0z7KQuDFPlglpxivySfj/MGznhfd1:klrKOfiYkXpNn4wHjz0gT6BP
Malware Config
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 5 3172 wscript.exe 16 3172 wscript.exe 25 3172 wscript.exe 27 3172 wscript.exe 43 3172 wscript.exe 45 3172 wscript.exe 47 3172 wscript.exe 53 3172 wscript.exe 55 3172 wscript.exe 57 3172 wscript.exe 65 3172 wscript.exe 67 3172 wscript.exe 69 3172 wscript.exe 72 3172 wscript.exe 74 3172 wscript.exe 76 3172 wscript.exe 78 3172 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IgOMTiUSwr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IgOMTiUSwr.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\IgOMTiUSwr.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3W2CQPM6PM = "\"C:\\Users\\Admin\\AppData\\Roaming\\5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3172 wrote to memory of 4320 3172 wscript.exe 88 PID 3172 wrote to memory of 4320 3172 wscript.exe 88
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\5e6114efe56d6a4cb3b9efaeeb18a2c1_JaffaCakes118.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\IgOMTiUSwr.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:4320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e3e02044f9c52b7ccc612c7018a6e8cb
SHA14b09da4abe3f8d626043a3302f607622496c4df5
SHA256d6fda24f2c7f287aefe429557a7b6dc2c4b3f6e8c04fe753352dc79cf6d14938
SHA5128e491eef71548162d30d1e11bf09ec2a3d1223c2b1a5314ff6939dcfc5e261da5ea62e3a201c9e07c0d965df82db489907513cfa57e0b8b963e4cb7d3d2e2e85