Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe
-
Size
324KB
-
MD5
6819ce09b270a28e08a5590b948e16b4
-
SHA1
92b39821d7a830ce84869cd7bee27b21e1018f01
-
SHA256
505c40ffdc403b89f93a184d911fd460773f5d8aa6a1031df6495e36034f66ad
-
SHA512
9a087248e7e92a5ca25a369c15b658d3307e76f2c68e9605c61b7d28698c1969b8a8114b0ac7b880f856928362b05d10a77e3742f02b56218b3c8a9a7533b9f0
-
SSDEEP
6144:zdbZ0IeJxHwJfZHcDK0PDLygCexEyqRKxRVwX0Fkukez5il2+d:zjFe7wlOK0PyqEysowl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4976 տըռբբտհ.exe 4604 տըռբբտհ.exe 792 տըռբբտհ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 792 տըռբբտհ.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4140 wrote to memory of 4976 4140 6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe 92 PID 4140 wrote to memory of 4976 4140 6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe 92 PID 4140 wrote to memory of 4976 4140 6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe 92 PID 4976 wrote to memory of 4604 4976 տըռբբտհ.exe 93 PID 4976 wrote to memory of 4604 4976 տըռբբտհ.exe 93 PID 4976 wrote to memory of 4604 4976 տըռբբտհ.exe 93 PID 4604 wrote to memory of 3560 4604 տըռբբտհ.exe 94 PID 4604 wrote to memory of 3560 4604 տըռբբտհ.exe 94 PID 4604 wrote to memory of 3560 4604 տըռբբտհ.exe 94 PID 4604 wrote to memory of 3560 4604 տըռբբտհ.exe 94 PID 792 wrote to memory of 4960 792 տըռբբտհ.exe 105 PID 792 wrote to memory of 4960 792 տըռբբտհ.exe 105 PID 792 wrote to memory of 4960 792 տըռբբտհ.exe 105 PID 792 wrote to memory of 4960 792 տըռբբտհ.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6819ce09b270a28e08a5590b948e16b4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\ProgramData\տըռբբտհ.exe"C:\ProgramData\տըռբբտհ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Roaming\CloudApp\տըռբբտհ.exeC:\Users\Admin\AppData\Roaming\CloudApp\տըռբբտհ.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:3560
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:3952
-
C:\Users\Admin\AppData\Roaming\CloudApp\տըռբբտհ.exeC:\Users\Admin\AppData\Roaming\CloudApp\տըռբբտհ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD56819ce09b270a28e08a5590b948e16b4
SHA192b39821d7a830ce84869cd7bee27b21e1018f01
SHA256505c40ffdc403b89f93a184d911fd460773f5d8aa6a1031df6495e36034f66ad
SHA5129a087248e7e92a5ca25a369c15b658d3307e76f2c68e9605c61b7d28698c1969b8a8114b0ac7b880f856928362b05d10a77e3742f02b56218b3c8a9a7533b9f0