Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 23:02
Static task
static1
Behavioral task
behavioral1
Sample
2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe
-
Size
295KB
-
MD5
2a171268b910b9efe97d7663487603b8
-
SHA1
d55f941f0a6e9d9354c8a0f44427428c9ba7a932
-
SHA256
991c02642077dbf3179f88a0364f68de9f7e5e3704dde3dec87238d779c6eaa0
-
SHA512
ca4b602acede37ee5ad50e3cbfacab9a5e14f0d393b3b0060d169a6e36dd182e8e515b0ceda6d791cb0eb0f330849bc935ff517c105df53fc3c279844cd349c7
-
SSDEEP
6144:S2gon3w1WG6wPTqbhJTtNSDpxDPcfp3U8p:SWnAwC2FJ5NTp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1234 = "12345.exe" 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1234 = "12345.exe" 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\update\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe cmd.exe File opened for modification C:\Program Files (x86)\update\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe cmd.exe File created C:\Program Files (x86)\update\cfg 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 872 PING.EXE 4084 PING.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4704 wrote to memory of 1592 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 85 PID 4704 wrote to memory of 1592 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 85 PID 4704 wrote to memory of 1592 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 85 PID 4704 wrote to memory of 2660 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 87 PID 4704 wrote to memory of 2660 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 87 PID 4704 wrote to memory of 2660 4704 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 87 PID 2660 wrote to memory of 4084 2660 cmd.exe 90 PID 2660 wrote to memory of 4084 2660 cmd.exe 90 PID 2660 wrote to memory of 4084 2660 cmd.exe 90 PID 2660 wrote to memory of 2204 2660 cmd.exe 91 PID 2660 wrote to memory of 2204 2660 cmd.exe 91 PID 2660 wrote to memory of 2204 2660 cmd.exe 91 PID 2204 wrote to memory of 1184 2204 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 96 PID 2204 wrote to memory of 1184 2204 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 96 PID 2204 wrote to memory of 1184 2204 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe 96 PID 1184 wrote to memory of 872 1184 cmd.exe 98 PID 1184 wrote to memory of 872 1184 cmd.exe 98 PID 1184 wrote to memory of 872 1184 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C copy "2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe" "C:\Program Files (x86)\update\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"2⤵
- Drops file in Program Files directory
PID:1592
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C @echo off && ping -n 5 127.0.0.1 && start 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:4084
-
-
C:\Program Files (x86)\update\2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C @echo off && ping -n 15 127.0.0.1 && del 2a171268b910b9efe97d7663487603b8_JaffaCakes118.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\PING.EXEping -n 15 127.0.0.15⤵
- Runs ping.exe
PID:872
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD52a171268b910b9efe97d7663487603b8
SHA1d55f941f0a6e9d9354c8a0f44427428c9ba7a932
SHA256991c02642077dbf3179f88a0364f68de9f7e5e3704dde3dec87238d779c6eaa0
SHA512ca4b602acede37ee5ad50e3cbfacab9a5e14f0d393b3b0060d169a6e36dd182e8e515b0ceda6d791cb0eb0f330849bc935ff517c105df53fc3c279844cd349c7