Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 10:04
Static task
static1
Behavioral task
behavioral1
Sample
2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe
-
Size
175KB
-
MD5
2beb6c52e2c2f0a4140044b97e91db82
-
SHA1
5c87abb58548c261dc9b4ca51cd01f029c93ec68
-
SHA256
dd8adb087145448b58f5c87499be4fbd82646ff5bd59cb5561d5c70a6453c8ee
-
SHA512
123a83d6b937f4d3358cc2b0a15b9b0bb1ead1eaeb5d253712e8ec8b6cac7164b9e6171a79b349084ce5f9c31c00c5a010e805872a8571edfde46e0f534b2d44
-
SSDEEP
3072:HAQ8WC0Oa+b1hykjWeEhEszrkm2OsXYId1p4WvPlfg+mQm1+kk:HAQ848/jjW1kzOsn4WFfN81i
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation 2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5108 jxdradu.exe -
Loads dropped DLL 1 IoCs
pid Process 5108 jxdradu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1148 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1332 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5108 jxdradu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1148 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5108 jxdradu.exe 5108 jxdradu.exe 5108 jxdradu.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5108 jxdradu.exe 5108 jxdradu.exe 5108 jxdradu.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2536 2240 2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe 85 PID 2240 wrote to memory of 2536 2240 2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe 85 PID 2240 wrote to memory of 2536 2240 2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe 85 PID 2536 wrote to memory of 1148 2536 cmd.exe 87 PID 2536 wrote to memory of 1148 2536 cmd.exe 87 PID 2536 wrote to memory of 1148 2536 cmd.exe 87 PID 2536 wrote to memory of 1332 2536 cmd.exe 89 PID 2536 wrote to memory of 1332 2536 cmd.exe 89 PID 2536 wrote to memory of 1332 2536 cmd.exe 89 PID 2536 wrote to memory of 5108 2536 cmd.exe 90 PID 2536 wrote to memory of 5108 2536 cmd.exe 90 PID 2536 wrote to memory of 5108 2536 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2240 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2beb6c52e2c2f0a4140044b97e91db82_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\jxdradu.exe -f2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 22403⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:1332
-
-
C:\Users\Admin\AppData\Local\jxdradu.exeC:\Users\Admin\AppData\Local\jxdradu.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD52beb6c52e2c2f0a4140044b97e91db82
SHA15c87abb58548c261dc9b4ca51cd01f029c93ec68
SHA256dd8adb087145448b58f5c87499be4fbd82646ff5bd59cb5561d5c70a6453c8ee
SHA512123a83d6b937f4d3358cc2b0a15b9b0bb1ead1eaeb5d253712e8ec8b6cac7164b9e6171a79b349084ce5f9c31c00c5a010e805872a8571edfde46e0f534b2d44