Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 09:01
Static task
static1
Behavioral task
behavioral1
Sample
0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe
-
Size
144KB
-
MD5
0797ae480b07fb4e00b16482cf5435cb
-
SHA1
51b2a74528a90c5c8a0d7eaa12818c29607655b0
-
SHA256
edbc8c0273fe91bd2217bed8087f2718d5b429623c802ce96dbf68f9a4998010
-
SHA512
cf568aa872625fa5eafb9abfcd824899118adaa01b8dcb263888b9367b7b9dddf8041e0d2e65e6a5fd3701c8281b3b59c5da13d598836a258bd1cf06c9094651
-
SSDEEP
1536:qiUQf1OdalnaYJy8PNigFfaGZp78lbcuZ/+J07:qiUmOEdvTNVfaGZp78lwuUW7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation jusched.exe -
Executes dropped EXE 2 IoCs
pid Process 2240 jusched.exe 2936 jusched.exe -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 46.28.107.10 Destination IP 46.28.107.10 Destination IP 46.28.107.10 Destination IP 46.28.107.10 Destination IP 46.28.107.10 -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\E4M7C2YgV.com 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe File created C:\Windows\SysWOW64\E4M7C2YgV.com.b 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4612 set thread context of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 2240 set thread context of 2936 2240 jusched.exe 82 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe.b 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3168 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 3168 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 2240 jusched.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 4612 wrote to memory of 3168 4612 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 80 PID 3168 wrote to memory of 2240 3168 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 81 PID 3168 wrote to memory of 2240 3168 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 81 PID 3168 wrote to memory of 2240 3168 0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe 81 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2240 wrote to memory of 2936 2240 jusched.exe 82 PID 2936 wrote to memory of 1572 2936 jusched.exe 83 PID 2936 wrote to memory of 1572 2936 jusched.exe 83 PID 2936 wrote to memory of 1572 2936 jusched.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" DEL:C:\Users\Admin\AppData\Local\Temp\0797ae480b07fb4e00b16482cf5435cb_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe"C:\Program Files (x86)\Common Files\Java\Java Update\jusched .exe" "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"5⤵PID:1572
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54be2f12dbc5fc87e7f0542c1668b954b
SHA14f98042231f55b3ff5dd013c80437a2198968cd4
SHA256048e099fb5a336bee01a8d92eeab089e444ef053946fafe4f1b93cc1de2473f6
SHA51292c069d2c03440398d2c867f4c09c5059c7b21837b309892441cce7f448b48116cd4516fd8b032145e62016721dee2a6befe64a219271826bce71938fd696cd0