Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
1902d2fb07fd303208824e070a491a14
-
SHA1
c8d4f562bb1441188a33401c736e95c87d9fae8f
-
SHA256
05d4d6d0f15dec78b1b4a418b8081b720245dd92f09fb32f4f69c6af9d39a8df
-
SHA512
0a21e11de4c87b814f8817338c272ca33b51c7d9472d6bf849a9dec423eb4738eb2fd26c59f918e72f898d71c5c7383e8829391dcd2931f511e0cb16ed64200b
-
SSDEEP
24576:w/Af7uuZB2MiMKLv7kLxOPdERHrqPiBfhcvLMc2h:w4CuZhiv6gP8H+4c2h
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4160 defender.exe -
resource yara_rule behavioral2/memory/4160-25-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral2/memory/4160-27-0x0000000000400000-0x0000000000A6C000-memory.dmp upx behavioral2/memory/4160-26-0x0000000000400000-0x00000000011C1000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1952 4160 WerFault.exe 81 4100 4160 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4160 defender.exe 4160 defender.exe 4160 defender.exe 4160 defender.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4256 wrote to memory of 4160 4256 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 81 PID 4256 wrote to memory of 4160 4256 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 81 PID 4256 wrote to memory of 4160 4256 1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1902d2fb07fd303208824e070a491a14_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 5883⤵
- Program crash
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 5883⤵
- Program crash
PID:4100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 41601⤵PID:1776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4160 -ip 41601⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
928KB
MD5aa22e20b540eb40879f1749c3c36ee0f
SHA120aecb3226fc7dc485e86364b79b6fd4fc32b6a8
SHA256c50aad64113a8b46b780ed4c8b10ead9eee0fbf7bb76caa6f8de3ca9cda6f389
SHA512a53c9864f096b742556cd54c5f8f4824054f8139ee9e63d0b7b0afce612e9548da742eed355adfc27a6419912fa0e3e34297a395810d899fd5a398a7348f965c