Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 05:18 UTC
Behavioral task
behavioral1
Sample
4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe
-
Size
10KB
-
MD5
4056b919366ea6a51c5e9069f8472091
-
SHA1
c7ce6debc93e42d90756b9be5236d93acdde0cf9
-
SHA256
65c070674f6e95dc8bbc95d3bda7c6af3924cc1366d99dfcd3e7ce0959b2d758
-
SHA512
988f8df472f5578ab9d7446fef14b1018806f4860e128832d15c95ac62071a01ac489f853676e9df4052ee668fe7b7b84ce16cd751fce330ef6bc2d03eda97d1
-
SSDEEP
192:xmGWV65YDUC3s6zNVa0AwuvC0uUxQuhCFaNJhLkwcud2DH9VwGfctdk:xmUWDUCckVa5aTshmaNJawcudoD7Uo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 7DBB.tmp -
Executes dropped EXE 1 IoCs
pid Process 1304 7DBB.tmp -
resource yara_rule behavioral2/memory/4816-0-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/4816-8-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsft = "C:\\WINDOWS\\sys32.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1536 reg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4816 wrote to memory of 1304 4816 4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe 83 PID 4816 wrote to memory of 1304 4816 4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe 83 PID 4816 wrote to memory of 1304 4816 4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe 83 PID 1304 wrote to memory of 4384 1304 7DBB.tmp 87 PID 1304 wrote to memory of 4384 1304 7DBB.tmp 87 PID 1304 wrote to memory of 4384 1304 7DBB.tmp 87 PID 4384 wrote to memory of 1536 4384 cmd.exe 89 PID 4384 wrote to memory of 1536 4384 cmd.exe 89 PID 4384 wrote to memory of 1536 4384 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4056b919366ea6a51c5e9069f8472091_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\7DBB.tmpC:\Users\Admin\AppData\Local\Temp\7DBB.tmp C:\Users\Admin\AppData\Local\Temp2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Microsft /t REG_SZ /d C:\WINDOWS\sys32.exe4⤵
- Adds Run key to start application
- Modifies registry key
PID:1536
-
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD562bd906746e687180e6f496af2c74ba7
SHA1c612dd94178b053ea120520a936131e0afb22390
SHA2564225c5b7115c7a2f8c08cbfdf8cd0a8b28952a602f13580d674762d7b551054d
SHA5124d9670448f4f574d22aa3139423d71921d368b755039563f063db3e703eb68fa1f85e2ddf8d5b1b72c6a1e8fe6eb94cfa28f943a212ccef4781ca0095cf0e67a
-
Filesize
603B
MD5e60896801e4777d71d000ec92507ab3b
SHA1981e124730dc0f8a47cdbcc9a56af060a8d2b604
SHA256a613337197cf51b0c48863891dedbc77608bed802cbb036393be82982e598ca0
SHA5129a879e8b2cdd05581b27a9ba8cbae6eb2e5a770cc39987e2e135790ea70613f67e0f6dea27c1318e862b250eb51772ad10f8cfbb253db6fd62fe5f6275f295ee