Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
181366d1498ac747f07f0bb05122f209
-
SHA1
803f6a776f4171ddf425e85c52204c04e1d7ae5b
-
SHA256
5561e38e23520ee0e034c9ecd94fcf73eed03216a1b458c118704515941528dc
-
SHA512
7cb1a9e64119bdb389dc57dc69379ffeb3398e07920d5598ffe9ade59a7951d44ad8920b83396cdc0ed8682f853f2243393866f9581f86da7008887b04353039
-
SSDEEP
6144:BZu9i2ZPJWxEgSgKyHbSkGhO9i2ZPJWxEgSgKyHbSkGhXb9i2ZPJWxEgSgKyHbSr:TEeDSUSkeDSUSXxeDSUS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2512 BFile1.exe 2116 BFile2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4320 2512 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2512 1200 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe 85 PID 1200 wrote to memory of 2512 1200 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe 85 PID 1200 wrote to memory of 2512 1200 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe 85 PID 1200 wrote to memory of 2116 1200 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe 86 PID 1200 wrote to memory of 2116 1200 181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\181366d1498ac747f07f0bb05122f209_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\BFile1.exe"C:\Users\Admin\AppData\Local\Temp\BFile1.exe"2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 4883⤵
- Program crash
PID:4320
-
-
-
C:\Users\Admin\AppData\Local\Temp\BFile2.exe"C:\Users\Admin\AppData\Local\Temp\BFile2.exe"2⤵
- Executes dropped EXE
PID:2116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 25121⤵PID:1220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d999da3bbc30e21d4c86c6c5b6dc7826
SHA195d67e5a5b7bcb386f6ba197e5c708f9fe6d67b3
SHA256fd1f9e684b72262cf964f5d1d8961103d8f35a6c4f4e8c4588f26d7c51ee89f2
SHA51238ca2df0ebd05128368c09a374085086a1c3894e03a9a947a8ffa0d82766e70acb8ec3fbf807ca34d8b2568595cefa1d72cf7a823d92f0cbd509263b46fe5cad
-
Filesize
1.1MB
MD50ec934b0c3fa5ae5725c143cc40d6662
SHA1e6c8d009d77e833d5fba614d18235bb1d4d48e48
SHA256e7350e1b83ce8b46848ad91cd4479c34c032a64b5c5b9ecfa471419a3c70780a
SHA5121597d62331fc8649b42a2e04123b540f8182c702f14c71c84cb4ae9346649e33502af02505f5d4a2e1c58156dbd53afa9a3b33347e667fc411a2c692e02eefc1