Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 07:09
Static task
static1
Behavioral task
behavioral1
Sample
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe
-
Size
772KB
-
MD5
071c23ae75e84b754dcd5b6e22056d28
-
SHA1
ee3579b279cd3b6f5f555188e70c9fb459b4a958
-
SHA256
27e836a494a3d63fbbc24f75ed4854f07bb3458641ba4062eb6dbf57b99a98eb
-
SHA512
0e020fd7440646e5ec5ce738fe54dcf4c15427181b98e18a1e603b4f5099201286fba264d8a3de566661a7f54be50a2b958db9cd5f3d207d1ac0c598679cbf95
-
SSDEEP
24576:eCxkZmvVi0FRAHgbGQjwZegfrxQU3SjZ6GPrb:eCx7V3FO9tOCSjZ6UX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation msmh.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe msmh.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aerff.exe msmh.exe -
Executes dropped EXE 4 IoCs
pid Process 1616 msmh.exe 488 emailextractor.exe 4988 msmh.exe 1728 INS1B05.tmp -
resource yara_rule behavioral2/files/0x0008000000023252-5.dat upx behavioral2/memory/1616-12-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral2/memory/4988-19-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral2/memory/1616-20-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx behavioral2/memory/4988-26-0x0000000077CA0000-0x0000000077CCB000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\gbd5.tst msmh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1616 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 90 PID 3080 wrote to memory of 1616 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 90 PID 3080 wrote to memory of 1616 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 90 PID 3080 wrote to memory of 488 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 91 PID 3080 wrote to memory of 488 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 91 PID 3080 wrote to memory of 488 3080 071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe 91 PID 1616 wrote to memory of 4988 1616 msmh.exe 92 PID 1616 wrote to memory of 4988 1616 msmh.exe 92 PID 1616 wrote to memory of 4988 1616 msmh.exe 92 PID 4988 wrote to memory of 3188 4988 msmh.exe 93 PID 4988 wrote to memory of 3188 4988 msmh.exe 93 PID 4988 wrote to memory of 3188 4988 msmh.exe 93 PID 488 wrote to memory of 1728 488 emailextractor.exe 95 PID 488 wrote to memory of 1728 488 emailextractor.exe 95 PID 488 wrote to memory of 1728 488 emailextractor.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\071c23ae75e84b754dcd5b6e22056d28_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\msmh.exe"C:\Users\Admin\AppData\Local\Temp\msmh.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\msmh.exeC:\Users\Admin\AppData\Local\Temp\msmh.exe b3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\msmh.exe"4⤵PID:3188
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"C:\Users\Admin\AppData\Local\Temp\emailextractor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Users\Admin\AppData\Local\Temp\INS1B05.tmpC:\Users\Admin\AppData\Local\Temp\INS1B05.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\emailextractor.exe 695216 698160 599043⤵
- Executes dropped EXE
PID:1728
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5428e857334568f7c6b3d81470eafa938
SHA1e255c1c5c9386cca77ffc19a32485777e63c1757
SHA256995a9d2fb234c2832f21bebd28bbf02f7400d46e188433ab105d2963b5fdd3d7
SHA51258c9f45eee12060f33500aabaeb919784445322bb7fbfce4909de035932fc4afde6f9506cc6154eb4362d022dde24af66368aab18297759bdb0077e5b2b47db0
-
Filesize
686KB
MD54b1d8cc66e1242f635630004b24485b5
SHA163983c61258d46f04c41eb50d9b033127df9eb29
SHA25613159e26ef2c6c3ff1ed05bdd9c9fbfd7f22eb9dc4ee0c5c187b4769468355c0
SHA512d24a7727fec154832230c549cd2eaddada3961eb86718b3870591d6bc2d26c8f687132f715065e0f793221999484e571b5e0d3b27937a6f1918a6775cf23fb02
-
Filesize
73KB
MD55290ea3a0b7371d6efcaf605111f5325
SHA189c1876e9d515c6be25e1dc80b5a577c883e3459
SHA256d0009dbcb51202b589b359903f1181c2ca00f5d475dfc7e8af69904cc09360b3
SHA5128d3a839ee106c4ac786a373b27e97665b180c75ff3bd5f3372f4f2fc0ad49b0a8b50d806a36d402282b4b523992fc6b9cb1eefea6fc24ac0b5d090286b0320d1