Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe
-
Size
14KB
-
MD5
150905c22aba1839292edc2a59e4b2f8
-
SHA1
22df283ac4a6b45d33f738bcf5ed1370a974448d
-
SHA256
71a6f5ce884e108ee0a02d453e91beca10021ce4d56a1cea16994ce732e3de74
-
SHA512
2074a83ab71afdfb936d6bf5d68515ccec8f616e78651d832c12ae04f486cafa3f459f3baf03657252083a54c9305f4e881c3c9a9c3fbfb4d1377d0b2d079801
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlbv:hDXWipuE+K3/SSHgxmlbv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DEM4BFD.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DEMA27A.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DEMF8E7.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DEM4F73.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DEMA5EF.exe -
Executes dropped EXE 6 IoCs
pid Process 4796 DEM4BFD.exe 1536 DEMA27A.exe 3936 DEMF8E7.exe 3644 DEM4F73.exe 4776 DEMA5EF.exe 3328 DEMFC5C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3860 wrote to memory of 4796 3860 150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe 82 PID 3860 wrote to memory of 4796 3860 150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe 82 PID 3860 wrote to memory of 4796 3860 150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe 82 PID 4796 wrote to memory of 1536 4796 DEM4BFD.exe 86 PID 4796 wrote to memory of 1536 4796 DEM4BFD.exe 86 PID 4796 wrote to memory of 1536 4796 DEM4BFD.exe 86 PID 1536 wrote to memory of 3936 1536 DEMA27A.exe 93 PID 1536 wrote to memory of 3936 1536 DEMA27A.exe 93 PID 1536 wrote to memory of 3936 1536 DEMA27A.exe 93 PID 3936 wrote to memory of 3644 3936 DEMF8E7.exe 95 PID 3936 wrote to memory of 3644 3936 DEMF8E7.exe 95 PID 3936 wrote to memory of 3644 3936 DEMF8E7.exe 95 PID 3644 wrote to memory of 4776 3644 DEM4F73.exe 97 PID 3644 wrote to memory of 4776 3644 DEM4F73.exe 97 PID 3644 wrote to memory of 4776 3644 DEM4F73.exe 97 PID 4776 wrote to memory of 3328 4776 DEMA5EF.exe 99 PID 4776 wrote to memory of 3328 4776 DEMA5EF.exe 99 PID 4776 wrote to memory of 3328 4776 DEMA5EF.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\150905c22aba1839292edc2a59e4b2f8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe"C:\Users\Admin\AppData\Local\Temp\DEM4BFD.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe"C:\Users\Admin\AppData\Local\Temp\DEMA27A.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe"C:\Users\Admin\AppData\Local\Temp\DEMF8E7.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe"C:\Users\Admin\AppData\Local\Temp\DEM4F73.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe"C:\Users\Admin\AppData\Local\Temp\DEMA5EF.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe"C:\Users\Admin\AppData\Local\Temp\DEMFC5C.exe"7⤵
- Executes dropped EXE
PID:3328
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57695c8688d81360ee7dcd8681102760a
SHA14b49ef66c7438c1d18e571c7d3a4a47f24b14d23
SHA256696c43ce3250470df1bf533dc37582042228761b1c3d208776f605598853a0be
SHA5129ef125ba9e1630c5c4fde4be98fd75b7f4535d6ed2a1ae7f5b2ca3b5e3100b54da355c5f393e76f1fa52ed346284ace26383d9bfd8a66cd60feb21b3f2623349
-
Filesize
14KB
MD5411588a5832869bd909f8ba840286c57
SHA108dd4411100d20e86f9805a4bfc1e67906d44e4c
SHA2560ab89a28675458d9ecf3fbc4ab5508d8cb389312760ec61146b6f31cc76bedb5
SHA5122eeb08b0581cf75a889d8c455f71b613e638003262932a70189826a45b3771ba87ff2359bc20421d535314bc35534f083fbafe03a59bd870b1b53722186b830e
-
Filesize
14KB
MD51d616885af36c8cb63057d637c7e871b
SHA1d8d25405056e5faa5218aee2d20cbdfdaf75b51a
SHA2566af03e9d93f93f1e6388e583254f7ee39a43fdc2d33e7836df59ac1a8457b5bb
SHA51286bf351f692b66660ca7ebf7d500749034eedc73265c75381389961d41adf2724e2812a002acb7f289a78221946ff7ccf1a83b0488ca7e09a0fa0d995ba9ef75
-
Filesize
14KB
MD52665648d61ab2c2eac9785d806c578e2
SHA147123cb47368a0f1e73960030353f31f16f20089
SHA2566bd623f3e62873a240a5101205484e192f39a961b744eca9341d9d0786671c83
SHA5129e3c38c56d1af721f53f6b9a7fadecff573fa833662036447f6695d91478ec1959273b4cb4f789a3175fc68586771939916cbf26b8beb06269cfa4e06860ccfd
-
Filesize
14KB
MD50ea3dd68e1f8ac42502fcde9db31f8f4
SHA130d009ad738f0d068c8116cf30d0dd7a328228e5
SHA256cdf95c6bf7695a159c9bc528c9e9a747e8336f7f411ab0a1b80c3e324ce66697
SHA512a676786df02fbaa121ff5b483239c2d2ca75731ddb87de7e117f2f1823520617462292391ed1fbe975d88f40285446230e04a69a2771a8275b0fb06ca9ed408d
-
Filesize
15KB
MD544e53b10870e06855300c51aa72836ec
SHA16fb4084619f9edf26b84db5352a505710279c685
SHA256fd7c70d2805c3f027d7f081c4ad5599e57e84561d25db2eabda574aeb5b173b4
SHA5121b4969e9d1ac3156aa78441fe71038c40b9b7d769719e780ef64599cdb9ff3bd83d774b48183ac1db44974de16d13e13d960769e6885009e34f4aa5c71435bed