Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 15:09
Static task
static1
Behavioral task
behavioral1
Sample
0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe
-
Size
271KB
-
MD5
0e8623af5c2a207bb64f8b73281dfc58
-
SHA1
bf95b139f0c71886c37458f23de262f113f53d07
-
SHA256
d6944484a7c809917dcde9961241f91c302d844ecdf939912004ffcb4c29c5fc
-
SHA512
1c9adbd4f9093abb65b77b8e4ba63118183b82319375431a386d50ac4b59ccd7068f14d793f2b9bc404182670e323ed800da0a2fc3185520eefaf2b4d3c079d0
-
SSDEEP
6144:sguJ1x2TCiqsue1D/xyV/JjVCsP+k7DuntNMn:UJ1x2TCiq1e1D/xyV/lfX6tNM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5616 pqojqecrw.exe -
Loads dropped DLL 1 IoCs
pid Process 5616 pqojqecrw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1956 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2016 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5616 pqojqecrw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1956 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5616 pqojqecrw.exe 5616 pqojqecrw.exe 5616 pqojqecrw.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5616 pqojqecrw.exe 5616 pqojqecrw.exe 5616 pqojqecrw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4700 5012 0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe 91 PID 5012 wrote to memory of 4700 5012 0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe 91 PID 5012 wrote to memory of 4700 5012 0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe 91 PID 4700 wrote to memory of 1956 4700 cmd.exe 93 PID 4700 wrote to memory of 1956 4700 cmd.exe 93 PID 4700 wrote to memory of 1956 4700 cmd.exe 93 PID 4700 wrote to memory of 2016 4700 cmd.exe 95 PID 4700 wrote to memory of 2016 4700 cmd.exe 95 PID 4700 wrote to memory of 2016 4700 cmd.exe 95 PID 4700 wrote to memory of 5616 4700 cmd.exe 96 PID 4700 wrote to memory of 5616 4700 cmd.exe 96 PID 4700 wrote to memory of 5616 4700 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 5012 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0e8623af5c2a207bb64f8b73281dfc58_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\PQOJQE~1.EXE -f2⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 50123⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2016
-
-
C:\Users\Admin\AppData\Local\pqojqecrw.exeC:\Users\Admin\AppData\Local\PQOJQE~1.EXE -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5616
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:3784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD50e8623af5c2a207bb64f8b73281dfc58
SHA1bf95b139f0c71886c37458f23de262f113f53d07
SHA256d6944484a7c809917dcde9961241f91c302d844ecdf939912004ffcb4c29c5fc
SHA5121c9adbd4f9093abb65b77b8e4ba63118183b82319375431a386d50ac4b59ccd7068f14d793f2b9bc404182670e323ed800da0a2fc3185520eefaf2b4d3c079d0