Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe
-
Size
212KB
-
MD5
fdde02ffc0c11e37597f16e75443951c
-
SHA1
a6e186c8e7d3840dbc8400e11601dd3ac2ebd8a2
-
SHA256
05bbab0386133ba28831074ee7546b2602807c44c22331599bed0a6b72736f25
-
SHA512
3be9bf4dc19d3ceeac2a3908aadb5f131671ee77d3fc214595c0880e987258432a41b940ded180075fce378a52b2f2905e90fd4ede23715221423cfb7c32d824
-
SSDEEP
3072:JPFIGJkYW3qeavs02vkk6eslROTBSmAJHrzhIiL+5X/h1osrXLuldnzsGvYm:JOGJkY2Nvkk6dlRCS59P3G5frql+Fm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation 28ab10.exe -
Executes dropped EXE 1 IoCs
pid Process 4404 28ab10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4404 4832 fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe 89 PID 4832 wrote to memory of 4404 4832 fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe 89 PID 4832 wrote to memory of 4404 4832 fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe 89 PID 4404 wrote to memory of 4388 4404 28ab10.exe 98 PID 4404 wrote to memory of 4388 4404 28ab10.exe 98 PID 4404 wrote to memory of 4388 4404 28ab10.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\28ab10.exe"C:\Users\Admin\AppData\Local\Temp\28ab10.exe" "C:\Users\Admin\AppData\Local\Temp\fdde02ffc0c11e37597f16e75443951c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6439.bat" "C:\Users\Admin\AppData\Local\Temp\28ab10.exe""3⤵PID:4388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5e8c1ea2e33714a9942bd7bd5105a6c64
SHA156858752a3e7b4f846ce49146e676d01d019bc0c
SHA256dd7dda339fc61d094f1f1f92460695ffb1da3ba40ae7677e09df2f079fa4e8bf
SHA512a82cbbb887e8e392fa889987dbd0cdbb036b6d6a521a6186323fab4fd1859340f3eb68eefdeca80bdc33940183c1218e5d15e3cf992f4ecfa11204a0235c2e87
-
Filesize
205B
MD5af942e21a17f04903c52cb28a9b89542
SHA1ebcfe47bad384564346db4141d26e3e68f9f984f
SHA256c62a90b84dac61f74122f6eaa01665155a18b28a68b799a963f8a877194f922d
SHA512790decec1485e8fc42c3ee09a3e871ee95fdf2bf2e5f15556de0a5b5db2106114d79206acf2dcf3e7c0dbe9df7b1298e0b3f7247a34d9d3bd9f296cc9b61211a