Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe
-
Size
92KB
-
MD5
04d1391971c911a6e9e33780fc6fea34
-
SHA1
f43a1618ffbd8c5cbf550af0697785e2d09c4156
-
SHA256
e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
-
SHA512
65bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9
-
SSDEEP
1536:veIAxtMMjEJzW2r27usjy3RwrhUc+bEjyuPu6kLaL746F+ZZnvHumdHE:XAxtrYBW2wfjy3RwdZ+E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2808 WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 1788 Wawuaug.exe 4556 Wawuaug.exe 2500 Wawuaug.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3908 1788 WerFault.exe 88 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 1788 Wawuaug.exe 1788 Wawuaug.exe 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1788 Wawuaug.exe Token: SeDebugPrivilege 1788 Wawuaug.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1788 wrote to memory of 4556 1788 Wawuaug.exe 89 PID 1788 wrote to memory of 4556 1788 Wawuaug.exe 89 PID 1788 wrote to memory of 4556 1788 Wawuaug.exe 89 PID 1788 wrote to memory of 2500 1788 Wawuaug.exe 90 PID 1788 wrote to memory of 2500 1788 Wawuaug.exe 90 PID 1788 wrote to memory of 2500 1788 Wawuaug.exe 90 PID 1524 wrote to memory of 2808 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 93 PID 1524 wrote to memory of 2808 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 93 PID 1524 wrote to memory of 2808 1524 04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04d1391971c911a6e9e33780fc6fea34_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\7934.vbs"2⤵
- Deletes itself
PID:2808
-
-
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win72⤵
- Executes dropped EXE
PID:4556
-
-
C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe"C:\Program Files (x86)\Microsoft Tntmib\Wawuaug.exe" Win72⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 4322⤵
- Program crash
PID:3908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1788 -ip 17881⤵PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD5782aabe9e7bf63a2be014e3d077420f6
SHA18f6119e94496de6ecc7c23649575e6e730f8bde3
SHA2563ce58f41ca21d6c06a84546edd4e8e4ff57868b7df445569a81518648f3278c8
SHA512cb8ae4caa417216156353dc375f8f217637277c4a1cc19f0f5d2de1bd1b91bc4433a35f16de2fef3a4fb3ca6928200b051ec5d42afe9a16e700d501ee42d82b6
-
Filesize
92KB
MD504d1391971c911a6e9e33780fc6fea34
SHA1f43a1618ffbd8c5cbf550af0697785e2d09c4156
SHA256e4dfe909e51a9b9724dbe4c2ddb4c5b92fc59bcd83e8d8955c4a997227edf80c
SHA51265bd6324acdaad4d19e234afcde7049d0352493b06edd639848e800242ed466807bb24f505ff4f712cdb2b6ad37b21b0f699015a098584da3acce34b789ecfd9