Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 13:16
Static task
static1
Behavioral task
behavioral1
Sample
fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240412-en
General
-
Target
fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
-
Size
762KB
-
MD5
fa5f8bef489cf87404077b8437f700fa
-
SHA1
a5412255ebc637165e2d7528dfc56350324769cb
-
SHA256
b4ae582fb61848d83e1e55dcc4925ea7788dba0c940c5a21157de6566342f06a
-
SHA512
90f4ce55fab0369d3d5b43888d6ddf2c0f00408dcfe52476b045510fbd0f12400170b0260611086e826464a17d9fbe06679e0a47203af62152f13191feaff0a3
-
SSDEEP
12288:qtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnR:qtDltItNW7pjDlpt5XY/2TkXKza/29V
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3688 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1432 wrote to memory of 4344 1432 fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 91 PID 1432 wrote to memory of 4344 1432 fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 91 PID 1432 wrote to memory of 4344 1432 fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 91 PID 4344 wrote to memory of 3752 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 102 PID 4344 wrote to memory of 3752 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 102 PID 4344 wrote to memory of 3752 4344 internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe 102 PID 3752 wrote to memory of 3688 3752 cmd.exe 104 PID 3752 wrote to memory of 3688 3752 cmd.exe 104 PID 3752 wrote to memory of 3688 3752 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsb6241.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/fa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsb6241.tmp/fallbackfiles/'2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13689.bat" "C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\""3⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:3688
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96B
MD5f20e0fdebbe1471ae9ff177cd3f157c1
SHA16c1d585d044d18ee54c547716b18368573ab5abd
SHA2567a0eaf2d67fd83e1639b0bf9472c177f8caa17dd4a224519d9eeea68e4f04a23
SHA512609f8fccdc9d8459b330a94e414dac9b03199b2f771eea5afbe1481e07876e40df00cc20cd92a4873b6779489db05368f4b2cc53c1b3edd985f8c05b73e5ff2a
-
Filesize
98B
MD584431be337535e17f7cac3bf75b72363
SHA1e5ff35730f05828bfa1757061cb555662ebbcb0d
SHA2560894c58bc0f3d911842e94c4c332e2ca4e8251ba56dd294d5c62f00d008bf59d
SHA51245042702669212e5492242bd658a9ede0b4ec8d73668d243fdc3e54b3ce3353d3ab1f8aa07c3e4a4f9f041b2857d484ba5489f33df4fb15fecc3f29308fcc812
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt
Filesize2KB
MD5f9baae8bc16af0b54f818bf2b82f83a7
SHA17f170ff0e373f90f529cbf3c31844783604bbd43
SHA2565715375af85fc2f7cc9ac9fe65bc4d152c108d8a5132f0ff49cc2f2f0ae4c1cb
SHA512b0334380f0dfeac6c4c7bffeb0ab09ee6876b6f96f15fdc3483f3356e127408a6b04e97309a17982e48088c10d5cd6217afb3aede786ff827de19f3c928f422a
-
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt
Filesize3KB
MD517215e839756c26602e32d3fdb836f79
SHA13cd59a089a9d1a5b2619fb2d192550de97a2b0da
SHA2561a5f697025f321d5aada186addf109ba40dc71d45a3eff4ef4ee7be8bd932509
SHA5122f8337be4ac8e563a74e77725af7cc58cb622190bfd366a84c1950c2bd21135c955e4a1b41bddb2ada5a584423448f95fe0ccdaf90c61f7aea3dfdd5d09dc021
-
C:\Users\Admin\AppData\Local\Temp\9DF2E1EFAC044F249B9E8EC658D0ACFB\9DF2E1EFAC044F249B9E8EC658D0ACFB_LogFile.txt
Filesize5KB
MD5c83c9db021582b621edd98022e6453e8
SHA16c721010c3a0ea59bcd6dc7f517bbe2e0e017b96
SHA256d805bf8a9afd3197df342672895ab74e3d69fffd721152f8b1e3ec9e47388d09
SHA5120022e4665c6cc38cc74b06fd21237232ded72c3dec2dac50700599b1f28cc50d3f9ebfedfd2e47d9612f0559221d54ab97d2467f26cb39aa76812c9153c596c1
-
Filesize
26KB
MD5ddcb6719a4462b295b75f179f69494cc
SHA1013355b5b62c626b45df0e18b241e7c7d7fd366e
SHA25621034e9c32ed4afb0bee620c43aaf94f4b0b8c146c26296f36d7ab9e69966689
SHA512248c6c893ba6c1ded3ea7fe60ed7a12fa94aff7bd6ac3fc7a1f880d6f3f6dfbfe466ba1ed7086a888cd66aeb1b4ef9712c17fa0828a0ec6df079c0aa6e28529e
-
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118.exe
Filesize1.7MB
MD5d4c16982f8a834bc0f8028b45c3ae543
SHA19d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
-
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_icon.ico
Filesize31KB
MD51f047e870359e4ef7097acefe2043f20
SHA182ab7362f9c066473b2643e6cd4201ccbf0bb586
SHA256f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e
SHA512e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286
-
C:\Users\Admin\AppData\Local\Temp\nsb6241.tmp\internalfa5f8bef489cf87404077b8437f700fa_JaffaCakes118_splash.png
Filesize65KB
MD5ef1514e5d2bcf830b39858f0736d7de7
SHA1832214b62cb3e56f858a876fc3f09cb3c3324cbb
SHA256c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1
SHA512cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d