Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe
-
Size
16KB
-
MD5
d017f92ffeb850bd8f82357e37ce7441
-
SHA1
967046b69b8b61d78fa9d9b1b993d85640f87a56
-
SHA256
99d030b6d50c846039217caf7a5cfc111838956b6a44f502f9442632cad01e15
-
SHA512
83212e71fbb53b3999a3f9646005efb4eec62da9fafb4dd2c26ef9251e8732b7549944f27a01c772cdba7519c0dc9a3740ff60137ef37b960dcf703c639b2d1b
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYJGJGdQ:hDXWipuE+K3/SSHgxmwJGdQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation DEMDC9F.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation DEM79F3.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation DEMD419.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation DEM2C7A.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation DEM8410.exe -
Executes dropped EXE 6 IoCs
pid Process 3312 DEM79F3.exe 3084 DEMD419.exe 4912 DEM2C7A.exe 4092 DEM8410.exe 4908 DEMDC9F.exe 2292 DEM3435.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4652 wrote to memory of 3312 4652 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 109 PID 4652 wrote to memory of 3312 4652 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 109 PID 4652 wrote to memory of 3312 4652 d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe 109 PID 3312 wrote to memory of 3084 3312 DEM79F3.exe 113 PID 3312 wrote to memory of 3084 3312 DEM79F3.exe 113 PID 3312 wrote to memory of 3084 3312 DEM79F3.exe 113 PID 3084 wrote to memory of 4912 3084 DEMD419.exe 117 PID 3084 wrote to memory of 4912 3084 DEMD419.exe 117 PID 3084 wrote to memory of 4912 3084 DEMD419.exe 117 PID 4912 wrote to memory of 4092 4912 DEM2C7A.exe 119 PID 4912 wrote to memory of 4092 4912 DEM2C7A.exe 119 PID 4912 wrote to memory of 4092 4912 DEM2C7A.exe 119 PID 4092 wrote to memory of 4908 4092 DEM8410.exe 128 PID 4092 wrote to memory of 4908 4092 DEM8410.exe 128 PID 4092 wrote to memory of 4908 4092 DEM8410.exe 128 PID 4908 wrote to memory of 2292 4908 DEMDC9F.exe 131 PID 4908 wrote to memory of 2292 4908 DEMDC9F.exe 131 PID 4908 wrote to memory of 2292 4908 DEMDC9F.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d017f92ffeb850bd8f82357e37ce7441_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\DEM79F3.exe"C:\Users\Admin\AppData\Local\Temp\DEM79F3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\DEMD419.exe"C:\Users\Admin\AppData\Local\Temp\DEMD419.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\DEM2C7A.exe"C:\Users\Admin\AppData\Local\Temp\DEM2C7A.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\DEM8410.exe"C:\Users\Admin\AppData\Local\Temp\DEM8410.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe"C:\Users\Admin\AppData\Local\Temp\DEMDC9F.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\DEM3435.exe"C:\Users\Admin\AppData\Local\Temp\DEM3435.exe"7⤵
- Executes dropped EXE
PID:2292
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4200 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:81⤵PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD557c05ac0926d61e6a905e549657cb85e
SHA112d7d2f95bf53cda5bf3df2921d2998618ebabd2
SHA256a2a06bc48875c6b5d519c80f7742d9af6994c2b2c5c8f12668b3cd5f39133e99
SHA512b28f408f440f8ba1107af7b099ef789b67f06bec83ad23ab98159611e2b1b5f41664bf5b80b6274de6f59b47e9ae4fae77dcfec47eae01c5c1184b3a2b83344b
-
Filesize
16KB
MD5b588ed4224308fc23f03c6a72e31255f
SHA1cd9acb6ee1df674359e9d07c327f54deb9f4be01
SHA2563d330d2adbd73b66ad4268ec39f9443e5a1d1e784e784d30b3fdb5297c65d084
SHA5122d061a1452bd362d5b6999763f867473ce88e47db48fa2394b73188bf43459d6facd9931507a520ab58752e3918aadc76b40aadab5a295e20314a4188d0f2e20
-
Filesize
16KB
MD5c7da5ad9324aa1d7a3166eccf5847369
SHA1a6a8c9580137166731fe42e9114c19f948f55aa7
SHA2563bc9e2271046f2671a079a35680b74d8b27620a66c75b84e4030776bbd349d1c
SHA5129ab3d5473f7129a747068eae551e7a776b9b06dfa31811164b52efd26bdf83ddc996cf827b1e4d6499c0f7457a74c761b84309eafa89863df75a428b684b0578
-
Filesize
16KB
MD53f4f8710fc824eec7f335e96962bec5f
SHA1461de3fb1572dbb92e95172aa7bac0c4e2e3062a
SHA25611ee69c3b2145b253c4b7396b9199584bdcf666ae7b2b02938e98ced16bb3d12
SHA512ce34cb4f6de005f29150adce01c039a20700c704858700622677795ba35a6058a43610e88cbd8e5b91a7393e3032bcd9f53d755ee2da33ebb834b3551c69c72c
-
Filesize
16KB
MD52df39e5fb5ba4a5bfafe3aff934cd2e3
SHA1d2c6d996b09e3d3fd684872fabd14bb91e0feb55
SHA25655b9a5ced2cdb7c62ffb17f78e515b9ecf1cfb8484169ccde58cb571663d0f14
SHA5129ef97d0b925ae6b7df0e53f29c0c0bff6c0230abfd16b7afd7d932f55473b81b2e12904ec74ac463663414dd940b16a22d1be7ee266452bc0f20406177a85dd3
-
Filesize
16KB
MD5c903a5f6073db23ac12486f0b702c64e
SHA1cfae23252c07ab76d443be968adce6a8a0345823
SHA256403d990d7318b0d1d686e7fad194b23c9c00bf40b0cc878de42c4a46abadbb13
SHA512c96dcc690724dd0f8d64e807f1dc73c21c64c1e7ac24ae764a71bfba71981e668be6c850e47914c3cfc97f5d8694d710112bf3e40906255ce9e70c5a9a3f4181