Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe
-
Size
35KB
-
MD5
46f8b0698e85357a979a2cf854d7dc16
-
SHA1
7565cb6ebc36a669bdd8937f2eeb67778a9180fe
-
SHA256
88f39cfd787dda1b94de96b48b9ceb921ebea0b0f69f97389a82a90585676ea1
-
SHA512
a90aafdc1bceb297264671f5b4d11a07114f207cbcfd61cbeb43cdb62957b6696c35dfd0859efa88912ef89e17df5e1287ae6fdb5e9ae009987cc918b5babc62
-
SSDEEP
384:QyWMPvsytDWW80X+xT9o25TyrHLM7+qdDvFpwyVuP3x5Ylo/LsL7LkLbg:8HgDWt9TU8p9/wyV+3xelozA/o
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 312 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swapdisk = "C:\\Windows\\system32\\rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\32014333.dll,Call" 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 312 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 86 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87 PID 2388 wrote to memory of 3076 2388 46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46f8b0698e85357a979a2cf854d7dc16_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\32014333.dll,Call2⤵
- Loads dropped DLL
PID:312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "2⤵PID:3076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD54e432912db8c425eee68e2a459b5a0a3
SHA1749a25deb96febc23d906c9c26308d5f0520a4b6
SHA2565d79e6b5f32d6bea323988c63ec4273207e92c845b745ddc4921626049fadf0d
SHA512ece43a4a1f47d0613f284fed3cb4d9f0600336fe2352942dff07042bce7da059db8f28240b8b034b94c4c417b11fceaf4530fa55800ebb20fe87ac95dbe7b6be
-
Filesize
210B
MD58c8de60b3256d675f36c9d9f1cc69ad6
SHA119b9a812f5f08b87d4d0198e043edc751062c705
SHA256ce53002a60ceaddad11cdae49973a876c04de3b53381375dfa9508ee0de81c3c
SHA51233a214d47020bdb7a94a2f66f110ac418b1d17997e39e329c73b7a94de8eb34e7d7987bca32454d81e39ce5888c33e2fe193ba00abbd608b5582be7935c6dc46