Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 22:10
Behavioral task
behavioral1
Sample
8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/calc.exe
Resource
win7-20240708-en
General
-
Target
8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
8c2c226f58e88601b34d59c8ebd4c987
-
SHA1
69db26ce456559c565103fb362b72bec4409934a
-
SHA256
28d2b0173a0b9a8ccc73c0f40ae4be37fd8272432818cc6820462cdff038d584
-
SHA512
f1686c0caa042ef5c9ac0b685b5037ea1368c29bbfacd6135eda5c02a3ef7c989919ec538c92e12fee0a8ddc1f082ed314267d4ca642bc767787bb57a3e9c32d
-
SSDEEP
24576:1qyk+aDRGujRURnI9krKmsXKSzEnMG9iN8MQCUT9Kkn7/jLztCS6FExvZK8fRcbU:1qyk+aDRiEmsQnMG0N8MZs3nvQFExBiA
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00070000000234b7-12.dat acprotect behavioral2/files/0x00070000000234bb-18.dat acprotect -
resource yara_rule behavioral2/files/0x00070000000234bd-39.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 5020 calc.exe -
Loads dropped DLL 9 IoCs
pid Process 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe -
resource yara_rule behavioral2/files/0x00070000000234b5-2.dat upx behavioral2/memory/5020-4-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/files/0x00070000000234b7-12.dat upx behavioral2/memory/5020-13-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/files/0x00070000000234bb-18.dat upx behavioral2/memory/5020-22-0x00000000021B0000-0x0000000002208000-memory.dmp upx behavioral2/memory/5020-21-0x00000000021B0000-0x0000000002208000-memory.dmp upx behavioral2/memory/5020-51-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/5020-53-0x00000000021B0000-0x0000000002208000-memory.dmp upx behavioral2/memory/5020-52-0x0000000010000000-0x000000001012A000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language calc.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}" 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA} 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001" 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È" 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8" 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\SearchScopes 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe 5020 calc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3696 wrote to memory of 5020 3696 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe 85 PID 3696 wrote to memory of 5020 3696 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe 85 PID 3696 wrote to memory of 5020 3696 8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c2c226f58e88601b34d59c8ebd4c987_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\calc.exeC:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\calc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD52c9e22f960ca9c2f4caaa2a37d443eda
SHA13b90206f1ebb726013067adba3bc180f3c388f0a
SHA256fbdb8ece088f95538de2690a630af44709be2c0cc5a1693bb4db2ed71d1661d3
SHA512e307f5edc36695f10e20692df02fa5de661f7ef57257a2c41cc459cea9430bd162fb9eb7679b19f50e4400abf31413520a0b1a44bfc48261d56a2941094afdf4
-
Filesize
408KB
MD5709f1646c30262b9f77a8aa72b29c59f
SHA13167a0f7382fdbd7990d63ffc2160b976690f1df
SHA2567172c513f350e70465f2015e3bfa4e58a1ba69d1bf783c684f40fd8483f1c883
SHA5123377556481f9c9734fcff765b0d48b38939ac68fe46f7a369fd627acc07d08cfe371847177965b07635c1ad028ff4d03d4bf98505d37233c829d5f996ebabec0
-
Filesize
200KB
MD5c597e19abcd8c10ea2ac0d33c419a93e
SHA118df89699e55745ef26bbffafb2ecfc8492a4492
SHA2565ed76826bd31aa480d6e615da89fd023921810bcdacfdbf5ec090974afe321d6
SHA51273a9869466e3c59112e22e6ba75f8e4d901fbd6acc6a1c1248963a7371d6a27b197f35ab7605559428262be852291bc78b081259a8a2f0f6ed066be371678c25
-
Filesize
113KB
MD590598b9170d705d6ba5f4a8fd99359f0
SHA1154505937c94821696f65c94af869b3393415f6b
SHA256962dc01fdbe0aa30a0b7c1b235073e8bdf285cceaa7b98e19257d68e5164a0d2
SHA5127024123f2648258638696a3258932444827dc4ef98453d244d3392e9411369de50a6dc373b2fcc300c9a6a3db9d069f22222168073f632a29dd2c36e1285c000
-
Filesize
429KB
MD54fbc687f3af1e007a5ffabbda393ec7b
SHA1b714435f7150608adc23d3df4d783bae1066b10e
SHA2561d4bb9515b54e265985129591a53af9eba38dac98094d352427bd9f819b8c6fe
SHA512694a43b8cfa41357065f948df1036e954d730038156a079d7528f732b574dc60d0dbd0fc88bbba615e9c26ed04821260a1740f3d15769e8730885a51859d7502
-
Filesize
1.3MB
MD597e47588a35219417f64ee2184e99118
SHA137d77f2594d3a5e81f4aebe0efdc24506b17f542
SHA256fd20d30fb61ae75dfb715837d811250b2dcce0fc40b2bd3af6533dac50860513
SHA51239c550d772940d06be3dfdd27ae051a895a2e9887a837131b21ac9470f5e9fb929e8c29d4338cdd8b5406c42973d84546312ac3767c28006a1b77192937bfa1a