Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4c2899e3612b47b1857660cc1c143337
-
SHA1
5574d0e42e8ab7d37457e5367538b835fb39f702
-
SHA256
16f84f42ff2c8d125ee12064df2e56258ff5c6631657ea82b5152d1abf436a7c
-
SHA512
7ea8c8a96c3f9cfc5be513de13efdc03d6d8ebd12560cc9664cdbaa4930ab870a6122333fc6a9eb00de91b494f9a60192400058fa187c647e8c821d74e695cbd
-
SSDEEP
24576:DtUf7HUexbctvDygPwXyseJkQOgmfhaXy/d3iC:hUjHFg4SOvhai/d3iC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2036 starter.exe 4024 ArcadeYum.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ArcadeYum.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ArcadeYum.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ArcadeYum.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ArcadeYum.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct ArcadeYum.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 4024 ArcadeYum.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4024 ArcadeYum.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4024 ArcadeYum.exe 4024 ArcadeYum.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2036 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 83 PID 1920 wrote to memory of 2036 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 83 PID 1920 wrote to memory of 2036 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 83 PID 1920 wrote to memory of 4024 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 86 PID 1920 wrote to memory of 4024 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 86 PID 1920 wrote to memory of 4024 1920 4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe"C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" cHAPG5DIBUSvBpgrUIBM 9362⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe"C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9Y0hBUEc1RElCVVN2QnBnclVJQk0gL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MSAvQnJvd3Nlcj0zIC9BZExvYz05MzYgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTM2Lz9wPVlUTTVNREU1TlRZeE1EaDQzSGM4MXB0aHVTQnpUaFljJTJCVElNeXJ2dEZWNFV0aEpSdHI5bFpMMXJGVjVGODd0Q0ZKbnRyTzFUTTVYb1M5JTJGJTJGZTlYa2EwMGFrQUh6cXd5R2JlR2IgL29wdGltaXplR0M9MCAvdXNlck5hbWU9QWRtaW4gL3VzZXJTSUQ9Uy0xLTUtMjEtMzU3MTMxNjY1Ni0zNjY1MjU3NzI1LTI0MTU1MzE4MTItMTAwMAo=2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
883KB
MD5e07405c65124e2d72f0c9b306018bc90
SHA1f30c1ba999eadcd5bce7473a6b3686e1ea048371
SHA25689ad981c161033a9465b6592c8467d565f53e2f7024ddc530a93c071a87c1951
SHA512fd7b3c53a407ad653052347cad109ebe5f815c13083a6b120647ac869ac971afa0993cffd2b1c4a1f7fb38cdd36e60e24ce6a646566fbb58c82bb662dbed329e
-
Filesize
231B
MD5ae437dea18c61477cc2f17f46fb11d01
SHA194afba8148c6072ad60c6899ed717005681e9da5
SHA256d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754
SHA51261ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b
-
Filesize
74B
MD57ae5c0861d4469baaeff248a6ef1599f
SHA10124d99a8c1838c88244cae646347c4b990a5d2d
SHA256fd87de948e97f01f9d47c6400bd57529e53533360af36df9339e541ca14c5a2d
SHA5120e9041d2ff419f393b002bf6dca0c3450ded4566ced694528ef29e46ff39a7cbdb80072b341a6e731fc031797d9b6049825b0dab0c4780c872d8c838ad705656
-
Filesize
1007KB
MD5e220811a7ef3de31f3ca80aed1dd7b9e
SHA19dc84732b3d2c548d6b2bf44148431303e7e0bff
SHA256a91308356f129901c9a07f0537a08525f788f8d78b4c406dc9abe826d13eb1b5
SHA51229fe6046a3898566167d4d4a5ea8804af6da547c81013d2c0968a19c1f871fc59b873d5769ce6d85ae3a9f7f61e7b05c72b4d5a368e8f6561b3d2b8a6e21d2fa