Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 20:01
Static task
static1
Behavioral task
behavioral1
Sample
68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe
-
Size
306KB
-
MD5
68b79ca3052878c2be5c585134e3eb3e
-
SHA1
b27f242b60c06f81a469b599210a95d708a9fed6
-
SHA256
34a3a8141566c3216f8727608b258d97bf37c0c5a4a35d7fcc1eaf4b6d18c3e5
-
SHA512
1841c3505392af3a8e86b1e6ea44e97b050c99b06ec4338fb54927bf75a5e46af8972c64fc3910df5832e04b09b1ef96184fb9cc89bd76c57475756afd23097c
-
SSDEEP
6144:oKsGDbuhkEYk3hDW8XKlsPWyxxjECiNBNE8UwtCcJ3GkUxRxdv2:QG+OE5hDIuWSx6jalwMcJ3E2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4228 divex.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_divex.exe divex.exe File opened for modification C:\Windows\SysWOW64\_divex.exe divex.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\divex.exe 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\divex.exe 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language divex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4228 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 88 PID 3112 wrote to memory of 4228 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 88 PID 3112 wrote to memory of 4228 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 88 PID 4228 wrote to memory of 2124 4228 divex.exe 90 PID 4228 wrote to memory of 2124 4228 divex.exe 90 PID 4228 wrote to memory of 2124 4228 divex.exe 90 PID 4228 wrote to memory of 3920 4228 divex.exe 91 PID 4228 wrote to memory of 3920 4228 divex.exe 91 PID 3112 wrote to memory of 5048 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 92 PID 3112 wrote to memory of 5048 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 92 PID 3112 wrote to memory of 5048 3112 68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\68b79ca3052878c2be5c585134e3eb3e_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\divex.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\divex.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe"3⤵PID:2124
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""2⤵
- System Location Discovery: System Language Discovery
PID:5048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5e317eefe2d65eb2833d97c73956e6f42
SHA1318dac6e776f42f0b6689c7c4699c99a1ecf9742
SHA25608f6652bbe4e5795be5dd2c3b4869237e63f30f93d5b901d602c918f4b610496
SHA51299f6bb2a5ddb16ebd16e65cabc323f003c91d538092f752a1f94df5b39a88d45f7b13900bfed712698c7b246eff19ba1fdc3501ac267370e6aab51405c4d589b
-
Filesize
306KB
MD568b79ca3052878c2be5c585134e3eb3e
SHA1b27f242b60c06f81a469b599210a95d708a9fed6
SHA25634a3a8141566c3216f8727608b258d97bf37c0c5a4a35d7fcc1eaf4b6d18c3e5
SHA5121841c3505392af3a8e86b1e6ea44e97b050c99b06ec4338fb54927bf75a5e46af8972c64fc3910df5832e04b09b1ef96184fb9cc89bd76c57475756afd23097c