Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 17:13
Behavioral task
behavioral1
Sample
640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe
-
Size
8KB
-
MD5
640f35ee88c5b979a7a78814c067ff0a
-
SHA1
0e30f5c203afcaf6753390bfe303e9a050138e62
-
SHA256
3a1cd071e24726e2b14edc1a55964e48986dc80c71b346815d38f1d132086456
-
SHA512
d06451d2756527892f951f82176327174b912d751871581af8728ec47a0d239a78bba07748808ff9047a21d8642f3662cf43dc7580425b0d9c85c2dd069cf621
-
SSDEEP
192:9bElpZHUjkkdPBGz1ul1NWJFaNJhLkwcud2DH9VwGfct8uH:9bEpRakWPBGZul1OaNJawcudoD7UWQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation b2e.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1108 b2e.exe -
resource yara_rule behavioral2/memory/2828-0-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2828-12-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2828 wrote to memory of 1108 2828 640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe 84 PID 2828 wrote to memory of 1108 2828 640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe 84 PID 2828 wrote to memory of 1108 2828 640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe 84 PID 1108 wrote to memory of 3380 1108 b2e.exe 85 PID 1108 wrote to memory of 3380 1108 b2e.exe 85 PID 1108 wrote to memory of 3380 1108 b2e.exe 85 PID 3380 wrote to memory of 3616 3380 cmd.exe 89 PID 3380 wrote to memory of 3616 3380 cmd.exe 89 PID 3380 wrote to memory of 3616 3380 cmd.exe 89 PID 3380 wrote to memory of 3412 3380 cmd.exe 97 PID 3380 wrote to memory of 3412 3380 cmd.exe 97 PID 3380 wrote to memory of 3412 3380 cmd.exe 97 PID 1108 wrote to memory of 2972 1108 b2e.exe 100 PID 1108 wrote to memory of 2972 1108 b2e.exe 100 PID 1108 wrote to memory of 2972 1108 b2e.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\947F.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\640f35ee88c5b979a7a78814c067ff0a_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96B2.tmp\batchfile.bat" "3⤵
- Checks computer location settings
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"4⤵PID:3616
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"4⤵PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5667b775061f480e6922d654e64f483d4
SHA102521f0db9dfc6755869db30d0368cf3b1f6c78d
SHA256dc4c07ba975b890305d7b767c0e2467c36dfedaec6f14c2ec0653e8f2ee49fa9
SHA5122743e7e434cf54ba049e8c7358c86103ec39e0d1dbce4025359bd002811be2a8d0b5538b5d110a28710814582f7a4ea31759d52faaa0e379d7a3f1bd3e315f58
-
Filesize
1KB
MD50bfac90c179b2b0eb14241768b091e03
SHA1c23382a5c5e6d11ad41fd6819ba2093d3c9db099
SHA256c4b4faaf650530b390850356f1af0fca6359357ac48b40f46ca0ac436325f04d
SHA512ed3f750da2d95925b96a623431dd9d40e2cb9229093cd3b008cd56fc3e64741b8d58123af026f9b0a7058947f612dc52b4b9654f470fd9223b6c8df8b3ba5c64
-
Filesize
53B
MD5ca0f2398bd2826a29c3f75bddde54891
SHA13d58403d49335187a332cc8de1f7db0e1f4a4937
SHA256ffbfa4f17d477d877a5fbe259b4b427677006ff3a28df0d7ed6729dd7fea7922
SHA5123910e7af69b8bb0c464b99e6c987b2612f809e08963fd74441dc86d362d671769a4c5e87e41dd64d7de89e92ce1ca1ccf0cb458036e1094d0dd8f7a609039b87
-
Filesize
60B
MD546fad2ab21d05db03903ec01dfadd348
SHA180a904f97f2b8dafe26a5ded341dc3c8895563e4
SHA256d1808d53224d50d790878bf1b3504fa57c153082c16c8481c7fd05c878923d00
SHA5127fd1bbf4d858b59ecd39bee4756201e81df2abfe108d4edd54110e180c736067644f25ae5b428afa2cf3779e9ced2ea86cedf2ee068994348357464cfe14c63a
-
Filesize
158B
MD52f3c92a8a657dd4d67e08feffeb2981c
SHA14d7ebf5618e9d6bf95ebaf7ee3f1c279fca9ffa1
SHA256a08b791ec12fbeaeb711f2b50c495ab7251103852bbe1178cf9af6b7271a3900
SHA512e159bc1db27e673058b547dbb2988132b402da6cbb0e09a804591eddc10509335c2edbf74e708500bb83eb7afb642e9a281f345f73b74daa94e0f6cdb8fd0623