Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
0a0e21a4c70a1bfe6e97f39a1a79c639
-
SHA1
c0594ce0f3dd3b172a87618413a9219f34b71a26
-
SHA256
c0905037542b6509fdc3cc5146ab6c181b1d799ab9ea01d84aec78c574e9a966
-
SHA512
40c09f46eea499da18330972d71cb9ebbaca3f71f43fd63b034fb49b4712f25435bddb3c330bd5a7aa14df4c6b037063d7a05296242158bf4044b4671708aebd
-
SSDEEP
6144:LlJVQaL9M2Jktja5Uw1VQ3QBohoh/ACdVVzS2S1iTXuKUn2X5A2tyfDvdN9RS:Zb5eEUwxAoNZdVBS2S8XuKUn2ztypZS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 3 IoCs
pid Process 4364 MPG.exe 2944 server.exe 3660 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogon.exe" winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2152 wrote to memory of 4364 2152 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe 83 PID 2152 wrote to memory of 4364 2152 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe 83 PID 2152 wrote to memory of 2944 2152 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe 84 PID 2152 wrote to memory of 2944 2152 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe 84 PID 2152 wrote to memory of 2944 2152 0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe 84 PID 2944 wrote to memory of 3660 2944 server.exe 85 PID 2944 wrote to memory of 3660 2944 server.exe 85 PID 2944 wrote to memory of 3660 2944 server.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\MPG.exe"C:\Users\Admin\AppData\Local\Temp\MPG.exe"2⤵
- Executes dropped EXE
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD57eae382c9ae3926316660c6ec8656f0e
SHA11ef1e41e0a6e5d23f1ddcde471c704c92303a982
SHA256b7c46d3198f75d2ae544adcf9c25e1fadefb06c8fb6656f3b72e3c4c653cbef5
SHA5125dcfd1ae6db3f8bff9d88dcbef82406197b515f63dac3f540319e215924b59e6f49ce91aa28fe8dadf081150ea158bc2b69d7d51234e5ac044962b9ac29e98a5
-
Filesize
741KB
MD52a0ee7cb8a71f66a3e8a915b313d6386
SHA1c092193b749664a3a5aec263cded84fb59fa0802
SHA2564607cd8041a9047722b8b81c3c72b53beb03decc8e1f7389fcecaca55da4ce85
SHA512666fa5876161d3e3dbf964c85f7d9476ca90e9a28c5cf986f1362ab36ed5783e2d316e1f4569a1b285259d697947fd9f1431de81fd840bc3998a8d960a681e7b