Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe
-
Size
355KB
-
MD5
e900e6cd547787c0ba378c4b46075d74
-
SHA1
c50fdd3e4679dfaaab9a6b88883f71582f14d417
-
SHA256
28170716df5b62b92891e8e22847182fc2ac10b96222b74d0ad1230bd6b877b8
-
SHA512
356e05929e245de6a0e7670438f61771a3b12a786afd8f22cc67267aa8cadccb59569dbb4c09815dfaa1818e4974e605c9099b5c6f381a43f85495dbb7c2f8f2
-
SSDEEP
6144:JjT5Zh17eWxoG/+ov/2OIQ4wW3OBsCeAWnNFP3b4yRbLdzzibNjgA:JRZ+IoG/n9IQxW3OBseSN1RbL1ubNl
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 18 396 WScript.exe 32 396 WScript.exe 41 396 WScript.exe 45 396 WScript.exe 52 396 WScript.exe 56 396 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.js WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 116 setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WEHHRB8F7I = "\"C:\\Users\\Admin\\AppData\\Roaming\\info.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x001000000002313b-8.dat nsis_installer_1 behavioral2/files/0x001000000002313b-8.dat nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3920 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 116 setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1892 wrote to memory of 396 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 87 PID 1892 wrote to memory of 396 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 87 PID 1892 wrote to memory of 396 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 87 PID 1892 wrote to memory of 116 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 89 PID 1892 wrote to memory of 116 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 89 PID 1892 wrote to memory of 116 1892 e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe 89 PID 396 wrote to memory of 3920 396 WScript.exe 92 PID 396 wrote to memory of 3920 396 WScript.exe 92 PID 396 wrote to memory of 3920 396 WScript.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e900e6cd547787c0ba378c4b46075d74_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\info.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn anydesk /tr "C:\Users\Admin\AppData\Roaming\info.js3⤵
- Creates scheduled task(s)
PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5d5ad2ec0445ff7fd803f7f3ef8d5e00a
SHA1c928fba62f4eb3ae1aad2c5c34782908ad57f715
SHA2563f538dd314b6b25cb556f4e49dd2d835c3138768631054231e6cd9a3a23ba1e8
SHA51298fd1a026bf04d7e20f19ae0ad8985e99489be60c022836b6d9950723b88f9f8bd29c4477fadd7f67f4845ed1698b3bea1dc61e9d6c56ec5f70e17f8e4c8964c
-
Filesize
66KB
MD59b8a268527c79c2e37cd3630769303a8
SHA1e16d1a407e8374f9882c7814f5dc630e0a15690f
SHA25607a9a0a4026aef36799649a86095f953fc8f7a32c1dab0a789c4bbb69ed46283
SHA512afa9e670e770d2fca423fd8fcd72c5754ec174a2d626ad478f53f3df3f99bbf58c975afec05ce9135f28e2261efdf26b429ce1ba27135aed5d45bc1e5c86c6d7