Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 10:04
Static task
static1
Behavioral task
behavioral1
Sample
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe
-
Size
14KB
-
MD5
6f2144faca22863ea5b92ebc6af77e14
-
SHA1
cbc04bfec881f63ca60ede00ad12e87d1dd27a96
-
SHA256
c5dd06bd644b18281fb1a83de17a7271cacc509aefb23c22604d54b8336a106d
-
SHA512
850f03d135ece20c49d253cce90a7cd582877b4545380df41f0e3c28865964c2b839796f6daa52a5e7085797b86c89fc15bec6d02e88b61a7efbdc127104faa1
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhR0m:hDXWipuE+K3/SSHgx9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DEMD29D.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DEM78BA.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DEMD002.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DEM2630.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation DEM7C9D.exe -
Executes dropped EXE 6 IoCs
pid Process 404 DEM78BA.exe 1380 DEMD002.exe 4052 DEM2630.exe 4912 DEM7C9D.exe 4940 DEMD29D.exe 772 DEM2929.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM78BA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM7C9D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD29D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM2929.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3076 wrote to memory of 404 3076 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 96 PID 3076 wrote to memory of 404 3076 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 96 PID 3076 wrote to memory of 404 3076 6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe 96 PID 404 wrote to memory of 1380 404 DEM78BA.exe 102 PID 404 wrote to memory of 1380 404 DEM78BA.exe 102 PID 404 wrote to memory of 1380 404 DEM78BA.exe 102 PID 1380 wrote to memory of 4052 1380 DEMD002.exe 109 PID 1380 wrote to memory of 4052 1380 DEMD002.exe 109 PID 1380 wrote to memory of 4052 1380 DEMD002.exe 109 PID 4052 wrote to memory of 4912 4052 DEM2630.exe 112 PID 4052 wrote to memory of 4912 4052 DEM2630.exe 112 PID 4052 wrote to memory of 4912 4052 DEM2630.exe 112 PID 4912 wrote to memory of 4940 4912 DEM7C9D.exe 114 PID 4912 wrote to memory of 4940 4912 DEM7C9D.exe 114 PID 4912 wrote to memory of 4940 4912 DEM7C9D.exe 114 PID 4940 wrote to memory of 772 4940 DEMD29D.exe 116 PID 4940 wrote to memory of 772 4940 DEMD29D.exe 116 PID 4940 wrote to memory of 772 4940 DEMD29D.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f2144faca22863ea5b92ebc6af77e14_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\DEM78BA.exe"C:\Users\Admin\AppData\Local\Temp\DEM78BA.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\DEMD002.exe"C:\Users\Admin\AppData\Local\Temp\DEMD002.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\DEM2630.exe"C:\Users\Admin\AppData\Local\Temp\DEM2630.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\DEM7C9D.exe"C:\Users\Admin\AppData\Local\Temp\DEM7C9D.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\DEMD29D.exe"C:\Users\Admin\AppData\Local\Temp\DEMD29D.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\DEM2929.exe"C:\Users\Admin\AppData\Local\Temp\DEM2929.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53978b0fc3383729e5a780a5892abc5cc
SHA1fd2d21a2c41337bfb450613b22dbaf2e1e6fd2ef
SHA25673dfe843bf856dd61028ff490be065678e284b5f8cb563c18d08991fd66db17a
SHA512563c799009ace41613e66b74037218dabe2d03a51c4a3bc94f275c8cd2d527a20782ae937936178f0627681c9ca652ec5e772a9daba6570810efed5e452fd1f7
-
Filesize
14KB
MD52f499c0cbaab3d71e74a1a231e5f397e
SHA1a5337dc14aadfb6e402de47e8ec66ba6596fce97
SHA25674769839b330780def5afe71a6ad52110cc576b68d0f1f1d0a621a2ecb77aec9
SHA51265baa88ff0a7972aacd6dfce18b3e1072ceed01247f8d65b4ea29122b6d93809d192dc84d6320c01f9a985bb7deceb1a6d8ca0bb791c4c1f688574fcf3135d58
-
Filesize
14KB
MD5b5aa069461df56571842d31927bd1a51
SHA1fdc4435d32d3ac5c448b71f93b8fbde098498a06
SHA2560842792ffdde5d84a87d20686f1c8a5908e5c0ff32c4b30652f381cd4843ef81
SHA51294e38b0943395099d828a3057f8f5f48e1d2c17d705f5b5310fd3b9c979aa1bbeaa0774cb8ae8c1af933a412ceb2a2400a6997a969c9b40eb673b3ec93f85ee6
-
Filesize
14KB
MD5f779eab8548a51b4392deaad130d5320
SHA18c5229c4812532a3749008b86129d01d2e64c031
SHA256be5acbb325d21bb691edc1ac6494893ba5f0e883b719040420f19b0895fffb52
SHA5121486cc533497444c598f3703946abb30453f23c10e09054db4e02072326f626cc30bf9f955958794c880040454e0800c6eb9ae755d67552c6bffd286061f76ee
-
Filesize
14KB
MD5fbcd42e9df90fd0ad172e5197fdcc3fb
SHA1a5806b2e78c81e42e1c7c6b4b0b165373884528f
SHA256c466c20e1e42f0ef0ebf39228b3490bbd90e36d48c4e9b5545a7ffc319c55f00
SHA5129cc4f5f0b507d122439a33ae4a8e5ede46e1d4dc2c1226ec1b50bbed2d213150d07fe2e0811dda8964b676883847f25f09e02e14323431ecaad37e1491059d82
-
Filesize
14KB
MD5dd66af060fe327134607a2d1f3fa8257
SHA17266d0ce5b945241f753785480d59be050ade974
SHA2563fa177de46a437035ba6d84bd2aae7be49873ca5949244e1cbe26416b4115347
SHA512d4702f98228b8d84e938f0163918ec0db7b2712a15b300cb29c58eac3a156fbbee822aede26b7c7192d8946d390a8ea7f0489a8323c237c11a1e1f530437af08