Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe
-
Size
772KB
-
MD5
5b1d024d06706b72319bc4239dc307c0
-
SHA1
1607c6680872b357cbfc826cd1942b14bf5e7e0a
-
SHA256
96050bae2bf021e4442cb513dd80f1894f7bb123270101f8d047e1f9d246d0a4
-
SHA512
55973d8f4498ff7ed5a07ae1bed8d1ba541f5cc5b5d4bee782c1167536f3b2f0441f1a10163b80fea07f74d82b7a4149dad4a4bf1a6e5d5ef890c78488021347
-
SSDEEP
24576:HVkzJqfNHQee01MOUMWmQ7z2aCQw2tNIb:qkHC21Q/tyb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3308 smss.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\HookLib.dll smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe 3308 smss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1836 wrote to memory of 3308 1836 5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe 92 PID 1836 wrote to memory of 3308 1836 5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe 92 PID 1836 wrote to memory of 3308 1836 5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b1d024d06706b72319bc4239dc307c0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smss.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smss.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
772KB
MD55b1d024d06706b72319bc4239dc307c0
SHA11607c6680872b357cbfc826cd1942b14bf5e7e0a
SHA25696050bae2bf021e4442cb513dd80f1894f7bb123270101f8d047e1f9d246d0a4
SHA51255973d8f4498ff7ed5a07ae1bed8d1ba541f5cc5b5d4bee782c1167536f3b2f0441f1a10163b80fea07f74d82b7a4149dad4a4bf1a6e5d5ef890c78488021347