Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 07:24
Static task
static1
Behavioral task
behavioral1
Sample
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe
-
Size
998KB
-
MD5
3c772ce76fc4bcac93a4fd74f03e1587
-
SHA1
b266bf7adbd60b8bb95a8fea26855c1682786164
-
SHA256
5a207869e0f7fa20eccbc95fb3f711a8cb6a31a72e5843310a7dc831314bdc94
-
SHA512
77c77298a668c7e8b6fb701b2a0d5f2a5a9cf3675a15feb0a46f76bcab882002bac63246b1b0e7b0f00b268bb6378885086ca73908a0e5d568ac2f66267348c3
-
SSDEEP
24576:txj7xTcX2LSlwthsobVC/5imoDe5l6uiEkLJvurXPIt+1KNI4sQ/:reXyPthzbkomQylDMLczwt+A64sM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Fonts\Calibri.ttf xcopy.exe File opened for modification C:\Windows\Fonts xcopy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3856 regedit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4460 wrote to memory of 1600 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 86 PID 4460 wrote to memory of 1600 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 86 PID 4460 wrote to memory of 1600 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 86 PID 1600 wrote to memory of 5116 1600 cmd.exe 88 PID 1600 wrote to memory of 5116 1600 cmd.exe 88 PID 1600 wrote to memory of 5116 1600 cmd.exe 88 PID 4460 wrote to memory of 3856 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 89 PID 4460 wrote to memory of 3856 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 89 PID 4460 wrote to memory of 3856 4460 3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c772ce76fc4bcac93a4fd74f03e1587_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c xcopy Fonts "C:\Windows\Fonts" /e /i /y2⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\xcopy.exexcopy Fonts "C:\Windows\Fonts" /e /i /y3⤵
- Drops file in Windows directory
- Enumerates system info in registry
PID:5116
-
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s Fonts.reg2⤵
- Runs .reg file with regedit
PID:3856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
948B
MD50798c369716d601f7f61aad56708bb69
SHA1fd944cf9fa5132d4216469d3487a9626b0c329f3
SHA256642f6b40b3b1ecb79ab1894d3fd3bc7638a9fbec332c2bf9f4144187968b963a
SHA51271db8de5e38c837d776860a4db9a75a1835d48cf0bcfb4007852623b4a6dd34bff7599086146ad7352b5610cd1e18f8b1d2c604125b90ebf304112c66b0cbcdb
-
Filesize
238KB
MD5d5630a8814488c1800727da51c00c256
SHA18c9298c19cd369087a95c27cf716d27e474f2ece
SHA2566615eaeb730311e6f997e34e1e560fae6629be9f47e92929d13d96108e58fa43
SHA5125f08970f024bb7a9e4500a64cb122301df1940e48b1e727be693423ca78cb116636eb374fcfce45b631cf6c24ef868633e703d3fed4d51c1092dc0363a197577