Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
113bced402c29231367d17be7f01784f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
113bced402c29231367d17be7f01784f_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
113bced402c29231367d17be7f01784f_JaffaCakes118.exe
-
Size
9KB
-
MD5
113bced402c29231367d17be7f01784f
-
SHA1
602dab0768b0c33c3021e9a5e1b3442efb9665b8
-
SHA256
e2756b61810fe92bd595f2cf3026d995f546fba651dcf033cb95cb33c7f6883a
-
SHA512
e16f44f82ca9f25544786a64be774bc941c7c7e7e067af891935154ecfc52caa5c3673952dae6fda2dd895b00ac1538f5c0f2148356d98e9c72b706d537e6293
-
SSDEEP
192:Hym8TSrQWRIc+v2StX4Q/ZpzM79EWQOie:HxEsQWRIc8ttXd2GWQbe
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 113bced402c29231367d17be7f01784f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2124 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2124 2924 113bced402c29231367d17be7f01784f_JaffaCakes118.exe 83 PID 2924 wrote to memory of 2124 2924 113bced402c29231367d17be7f01784f_JaffaCakes118.exe 83 PID 2924 wrote to memory of 2124 2924 113bced402c29231367d17be7f01784f_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\113bced402c29231367d17be7f01784f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\113bced402c29231367d17be7f01784f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD590674c4ffcc82689b718dd3c0feeb405
SHA188175f22b7172d64a8be08aabc11f48b64832b73
SHA256e4a9a95f6da06919dd77d104285d0601d6bc0b82745c30b2697c9bf4f44e5e49
SHA512f7f0cad42ac7fe4559f7477fa46ed54d1c79cd33c4931d27723a3e3a1ea00988e16df930d856705ea70c0b9dea2b9458895a2e4fee55931cf83e4ddac5168d7b