Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/04/2024, 13:01
Behavioral task
behavioral1
Sample
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
-
Size
13KB
-
MD5
e7853ebec5f438d537e1f0d59daef2b7
-
SHA1
a3630f7c39503e1b3c7bf6393af6dffccd7b9782
-
SHA256
1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8
-
SHA512
79811c6e6fc74e71f26d67eb221ee39ee86f7c563fcfc9d56f2d5847b9b8df02eb60316cd484d9368b1c8c4374c18f9c2dd8dd037ab6a923595a481d0d8f3534
-
SSDEEP
384:s5wfWyQB/pbXkaegjYWBX12fnaNJawcudoD7UM:AwfqXkaLYWBX12fanbcuyD7U
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b2e.exe -
Executes dropped EXE 2 IoCs
pid Process 212 b2e.exe 3056 win32runtime.exe -
resource yara_rule behavioral2/memory/2432-0-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/2432-8-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2432 wrote to memory of 212 2432 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 85 PID 2432 wrote to memory of 212 2432 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 85 PID 2432 wrote to memory of 212 2432 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 85 PID 212 wrote to memory of 4228 212 b2e.exe 86 PID 212 wrote to memory of 4228 212 b2e.exe 86 PID 212 wrote to memory of 4228 212 b2e.exe 86 PID 4228 wrote to memory of 3056 4228 cmd.exe 89 PID 4228 wrote to memory of 3056 4228 cmd.exe 89 PID 4228 wrote to memory of 3056 4228 cmd.exe 89 PID 212 wrote to memory of 1352 212 b2e.exe 90 PID 212 wrote to memory of 1352 212 b2e.exe 90 PID 212 wrote to memory of 1352 212 b2e.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\5043.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\516C.tmp\batfile.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\win32runtime.exewin32runtime.exe4⤵
- Executes dropped EXE
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵PID:1352
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5746c4b919f32f705067adccc46748ed7
SHA126e228a986bdfe7219d8354b6f9cbc4c3637dcfe
SHA2565fcf4a4980b50f43a06ee1be36a01f2d922664beebd20bd5a2ef1a6a6b31b4c4
SHA512ec3d48b5e04d420a6e6bcab37d243dbd1c935d97f6cb6c383deeb19e27d820f1884ea3876937e6bffa03a298f71527f601288cdbe2fd5c2b0d29bd4d139fa0fc
-
Filesize
172B
MD5293d7e6df8e49c8596f0720d08be56c2
SHA1acfd19c1669dd9ca84f86fda1cbce80b46e4ecfd
SHA2568b562d60078c5408336402b1c4a4150b0b5a9cabaad7db399d9870b94199a1bb
SHA512771c36a25bb25e37445b97f360362b2db4168fb292ff80376330ff152c6d242504592bcef3f58314fe71798cfdc14848ab8d68b6d5b08fad7235cd890fd689fe
-
Filesize
158B
MD586fe4938d1986696bca9d868d67f1c08
SHA141f482473250996cd98b77ca41e310c9b78917c5
SHA25620133e2e0a8ed87775d546c07bfee1d396db3244576d5137c4848b9b14efe1d7
SHA512150f49b0a328e84f097a8406a5b711a6f8dd10295e79b33ac899bbe36e052082cad6f38b018b2f9e1a78b9ff83fe5ce16d9cb6c6db77c68310c885d958c038f0
-
Filesize
9KB
MD592f601d63e34b5938bbcb5e8ecb399c3
SHA1e405c007d698c63e8abe9d51305e1daba978728f
SHA256c4bd442484b223fc11df6861efbe64993042c9b9381fdb3d42e73cbbc0ef9d69
SHA51276cd255c7ce5c846f418be340e9c1bf762ac455b25d9de072bb28ec21061456d07a13e2e504f97242d913df3fa4f735fa3366de4b50938ba65a68a7eda3c4ddd