Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 15:58
Static task
static1
Behavioral task
behavioral1
Sample
78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe
-
Size
47KB
-
MD5
78b3d52c97314260e27356d3956bb0f1
-
SHA1
5fc875c08f03a50bcfd62d397626be2f006231b1
-
SHA256
3c5866d457b49e14e82076f0ca75620e169aa2db53ad4e8391a0c01fabf311dc
-
SHA512
f8f044bf15aff49a79a141a28195775674e75e5668cb0ae6c1462ca899a148e69dc075517b5384e4d10d46b50d2411d294c7b4e23ca140cbe40ee5ba2029a385
-
SSDEEP
768:o9J8NowRheD8/3rJiUqyet8w9abyzS5E50kyoVonvnRiZljBwiwo5sW3yhz7v76o:o9wvQUreUbyzsB+2myhzT7hOnc
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 4416 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4416 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3356 wrote to memory of 1180 3356 78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe 84 PID 3356 wrote to memory of 1180 3356 78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe 84 PID 3356 wrote to memory of 1180 3356 78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe 84 PID 1180 wrote to memory of 4416 1180 cmd.exe 86 PID 1180 wrote to memory of 4416 1180 cmd.exe 86 PID 1180 wrote to memory of 4416 1180 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\~A410.bat "C:\Users\Admin\AppData\Local\Temp\78b3d52c97314260e27356d3956bb0f1_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CrystalCPUID.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61B
MD5be69d75c0f4e2ee49bf59a29677d299f
SHA1f3ea6b8837f8a348db5827bfb8ab51ef2342bbe1
SHA25645249d9816dd98db58f93b3bab153d75e29c7347525d88177bdade85fc71f2ce
SHA512b8e086feeb50876089949d4356ffe1320d74f9c365e257e31812237bcf3d4999ce5819efd619bfd6b90ac9cc813e06bb0d33e57a994456f5febced7d1e0927da