Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe
-
Size
380KB
-
MD5
f1063749089485c04afdf0e612ecefd6
-
SHA1
1aff565fa53fbf071e2d82bd13364dac94d074ab
-
SHA256
26e3935f9e6a021f70782e8d6a1c4d0d23c218bcfffdb79b3526b746d5a290f6
-
SHA512
ff06a98ac64430f823063dedc06a40d8e55d152594c92cd2c89f7850dd227dfb05f9d36f2170b1f5274141b4a9fc04a4046b03d637e7bf692cab719f029c1b0a
-
SSDEEP
6144:jHmzMe3ZKpplTrUFaEnuKlJD2qhiVrBDPi87DxmLX2xq5otuBNukc1ppB3PQ:bGZpgKaEnuylEK877qGcHG4
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5032 acieixvka.exe -
Loads dropped DLL 1 IoCs
pid Process 5032 acieixvka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 15 IoCs
pid pid_target Process procid_target 348 4416 WerFault.exe 82 2712 4416 WerFault.exe 82 3900 4416 WerFault.exe 82 4652 4416 WerFault.exe 82 1516 4416 WerFault.exe 82 1576 4416 WerFault.exe 82 3120 4416 WerFault.exe 82 2664 4416 WerFault.exe 82 2636 4416 WerFault.exe 82 5048 5032 WerFault.exe 112 928 5032 WerFault.exe 112 1932 5032 WerFault.exe 112 1828 5032 WerFault.exe 112 2812 5032 WerFault.exe 112 4164 5032 WerFault.exe 112 -
Kills process with taskkill 1 IoCs
pid Process 1396 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4924 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1396 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4416 wrote to memory of 552 4416 f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe 104 PID 4416 wrote to memory of 552 4416 f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe 104 PID 4416 wrote to memory of 552 4416 f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe 104 PID 552 wrote to memory of 1396 552 cmd.exe 108 PID 552 wrote to memory of 1396 552 cmd.exe 108 PID 552 wrote to memory of 1396 552 cmd.exe 108 PID 552 wrote to memory of 4924 552 cmd.exe 110 PID 552 wrote to memory of 4924 552 cmd.exe 110 PID 552 wrote to memory of 4924 552 cmd.exe 110 PID 552 wrote to memory of 5032 552 cmd.exe 112 PID 552 wrote to memory of 5032 552 cmd.exe 112 PID 552 wrote to memory of 5032 552 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 5882⤵
- Program crash
PID:348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 6642⤵
- Program crash
PID:2712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 7762⤵
- Program crash
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8722⤵
- Program crash
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 10322⤵
- Program crash
PID:1516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8882⤵
- Program crash
PID:1576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8882⤵
- Program crash
PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 10522⤵
- Program crash
PID:2664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4416 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f1063749089485c04afdf0e612ecefd6_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\ACIEIX~1.EXE -f2⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 44163⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:4924
-
-
C:\Users\Admin\AppData\Local\acieixvka.exeC:\Users\Admin\AppData\Local\ACIEIX~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 5524⤵
- Program crash
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8004⤵
- Program crash
PID:928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8404⤵
- Program crash
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8564⤵
- Program crash
PID:1828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8084⤵
- Program crash
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 8484⤵
- Program crash
PID:4164
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 5322⤵
- Program crash
PID:2636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 44161⤵PID:4076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4416 -ip 44161⤵PID:1476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4416 -ip 44161⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4416 -ip 44161⤵PID:2688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4416 -ip 44161⤵PID:2728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4416 -ip 44161⤵PID:1788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4416 -ip 44161⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4416 -ip 44161⤵PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4416 -ip 44161⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5032 -ip 50321⤵PID:812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5032 -ip 50321⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5032 -ip 50321⤵PID:1476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5032 -ip 50321⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5032 -ip 50321⤵PID:3752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5032 -ip 50321⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5f1063749089485c04afdf0e612ecefd6
SHA11aff565fa53fbf071e2d82bd13364dac94d074ab
SHA25626e3935f9e6a021f70782e8d6a1c4d0d23c218bcfffdb79b3526b746d5a290f6
SHA512ff06a98ac64430f823063dedc06a40d8e55d152594c92cd2c89f7850dd227dfb05f9d36f2170b1f5274141b4a9fc04a4046b03d637e7bf692cab719f029c1b0a