Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
-
Size
127KB
-
MD5
2b68837db9de8dc4868b847fe774be21
-
SHA1
5b267c68d86cb57646a9c765add756cb65ca643d
-
SHA256
461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334
-
SHA512
733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2
-
SSDEEP
3072:tWIVzl1GSJLLpgmGj8g5ZQXMmwI+QXMmwI2m:gIVzl3LumGGMazMa2m
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation cmd.exe -
Deletes itself 1 IoCs
pid Process 32 DelCF66.tmp -
Executes dropped EXE 1 IoCs
pid Process 32 DelCF66.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4316 wrote to memory of 4644 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 82 PID 4316 wrote to memory of 4644 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 82 PID 4316 wrote to memory of 4644 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4184 4644 cmd.exe 86 PID 4644 wrote to memory of 4184 4644 cmd.exe 86 PID 4644 wrote to memory of 4184 4644 cmd.exe 86 PID 4316 wrote to memory of 32 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 88 PID 4316 wrote to memory of 32 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 88 PID 4316 wrote to memory of 32 4316 2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe 88 PID 32 wrote to memory of 2156 32 DelCF66.tmp 89 PID 32 wrote to memory of 2156 32 DelCF66.tmp 89 PID 32 wrote to memory of 2156 32 DelCF66.tmp 89 PID 2156 wrote to memory of 3180 2156 cmd.exe 91 PID 2156 wrote to memory of 3180 2156 cmd.exe 91 PID 2156 wrote to memory of 3180 2156 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c a.vbs2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"3⤵PID:4184
-
-
-
C:\Users\Admin\AppData\Local\Temp\DelCF66.tmpC:\Users\Admin\AppData\Local\Temp\DelCF66.tmp 256 "C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c a.vbs3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"4⤵PID:3180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD52b68837db9de8dc4868b847fe774be21
SHA15b267c68d86cb57646a9c765add756cb65ca643d
SHA256461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334
SHA512733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2
-
Filesize
22KB
MD50a4899d7995aeb9b8263f62dcae31c0c
SHA1d4f5dc941ffa15b07e73097d6dccd87ddfef2e22
SHA256ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617
SHA512ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5