Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe
-
Size
14KB
-
MD5
d0cc8b51c66686d121141cea281f6867
-
SHA1
d131fe5aabe1a57b3e5acdbcfc9b823843157d78
-
SHA256
c025f72c59127f9244c4fe6c716e614d05c9ae2f765162064e0f2d5b25a5f311
-
SHA512
294807a3cd03ffae3dff8924cee5d6d724de524e273bff63c1e28a1420fcbb4322e990a185d44fdf4e657f6dd3d0319c687c90239f2dc3cca27d0cd1daaa5d1e
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4YZUN:hDXWipuE+K3/SSHgxm4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMBE7D.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM1817.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM7039.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEMC743.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DEM1FE2.exe -
Executes dropped EXE 6 IoCs
pid Process 3356 DEMBE7D.exe 4592 DEM1817.exe 944 DEM7039.exe 3660 DEMC743.exe 2648 DEM1FE2.exe 2080 DEM7843.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2832 wrote to memory of 3356 2832 d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe 104 PID 2832 wrote to memory of 3356 2832 d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe 104 PID 2832 wrote to memory of 3356 2832 d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe 104 PID 3356 wrote to memory of 4592 3356 DEMBE7D.exe 108 PID 3356 wrote to memory of 4592 3356 DEMBE7D.exe 108 PID 3356 wrote to memory of 4592 3356 DEMBE7D.exe 108 PID 4592 wrote to memory of 944 4592 DEM1817.exe 110 PID 4592 wrote to memory of 944 4592 DEM1817.exe 110 PID 4592 wrote to memory of 944 4592 DEM1817.exe 110 PID 944 wrote to memory of 3660 944 DEM7039.exe 112 PID 944 wrote to memory of 3660 944 DEM7039.exe 112 PID 944 wrote to memory of 3660 944 DEM7039.exe 112 PID 3660 wrote to memory of 2648 3660 DEMC743.exe 114 PID 3660 wrote to memory of 2648 3660 DEMC743.exe 114 PID 3660 wrote to memory of 2648 3660 DEMC743.exe 114 PID 2648 wrote to memory of 2080 2648 DEM1FE2.exe 116 PID 2648 wrote to memory of 2080 2648 DEM1FE2.exe 116 PID 2648 wrote to memory of 2080 2648 DEM1FE2.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0cc8b51c66686d121141cea281f6867_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe"C:\Users\Admin\AppData\Local\Temp\DEMBE7D.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\DEM1817.exe"C:\Users\Admin\AppData\Local\Temp\DEM1817.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\DEM7039.exe"C:\Users\Admin\AppData\Local\Temp\DEM7039.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\DEMC743.exe"C:\Users\Admin\AppData\Local\Temp\DEMC743.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\DEM1FE2.exe"C:\Users\Admin\AppData\Local\Temp\DEM1FE2.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\DEM7843.exe"C:\Users\Admin\AppData\Local\Temp\DEM7843.exe"7⤵
- Executes dropped EXE
PID:2080
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5ac4375e983d48f34f26fffc73b4fedd4
SHA102629ec7d1464163ab39d86fe907dc660ce086f6
SHA256f529879f1b65e76c775fef0e5c9f399ed84281d58916258879fcb4f44b7d7b5b
SHA512f7e408b2f1d0ab10aa66cc415c8bdc0aa4a263024ca9cd59489648be54498ac46e7fbe7c708991dec31bc68582bde031e5df48296f51d8068c2b8312dab4687e
-
Filesize
15KB
MD5181f8d52f8a15c6c0addb517397e8a71
SHA1f9b66dbf2908f37abbe9e7dfa22b44680f56026a
SHA256114ff9a55094d0f9c3aa15932d12f3612a3a5ee9bd5ec255e27ae66552f59925
SHA512bb38b99cc6950e7869652da0cb927c9ebc6ad3d9e26a17139eaf934ea6e2e7bb11b39940e5e82e9fbebc04c2ff19bc2b5efb7767664f10dc09df0b37aeee1f3b
-
Filesize
15KB
MD506866c71e01e1526451b300f11789537
SHA1ff7c71d232204b34981afcfd8daa69638a932605
SHA2568202373802142f76ed7973665c912d5e5b260724589f7f721a6777a91c3f96b6
SHA5128fb06022cbadc4e80b022b4b5d7cc51655d115d0044a87622d068bf99aa94e99d07727395390bb31cba4250561b67773b01d503b51074b1515d359c569cfb238
-
Filesize
15KB
MD5b9cf4fc1cf418ebdbfc46b8994dc51e5
SHA1effb1b6fb1b553ca215b392a985b653509c890c5
SHA256b8e7ee763dd5fa94a3504ae083540981b3ea80ffa1ffae19a34a5a2e5aeddd0c
SHA512dc58096bcaca2deadf5456bbda6fa7935af09881ef2fe5df59b9911a5c285eb7e1bb6edffad4d3ccaa8445a7907527ac2b740fde509bb28dc442039e0017ca55
-
Filesize
14KB
MD58eeb4b152f29cdb0083f382a2b6b002d
SHA170bbe3996fdf776d4aa97e408ee08691696b3843
SHA2564d49ec89d5c7ab78ff77e7071fcf7becf937fea1281135d037ef908800311a7c
SHA512d36eef4e6d4f2a9843c24ce965e45b7be99d57ae2c277b65b0038e2c7a6116aafcab0bd0d54a6160e4811ac6279bc882370512a8d486ba8339fc02cc39f506f4
-
Filesize
15KB
MD559bd7c328553ecd06733ddf0c5363cb9
SHA14d0f5d85e1eb2989394f80380dd7236f9c9186c5
SHA256687d1ffa1fe297ff7c1f8dce6c2fdcfa73f140d8889a4a083bcd414be0e526f3
SHA512cdb1ac5a001afb483fad575d96699ed60601f732e40bec3a87045543459cdb1d7f80008ba9f1deaad53ec0a599acc7d74b99e828a3d6875a26f1f43da2dcd9c5