Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe
-
Size
134KB
-
MD5
8c79e404ab329917ae6a0b1cfd4a9c7e
-
SHA1
4c3fb19be315322bf60da1a4c2f1bb955120a80f
-
SHA256
15ef91717ec79c73a69353ec4d58950ce9349d2e8a4b8895ee4c462c8f7ef303
-
SHA512
64735178b0ac4f24ef9fce6cbbc53e25ffe1fdebf16f5b5054c99041c7fab106eb74c6839bbccd107c4c2f3e831c5c1321b54199ea6c2c126e23537335a906db
-
SSDEEP
3072:S9Zu7RZHR4++Tz3saVFJjO6cbsCuCsywO/FzdXr:S9ZuHG/zjO6HWo+X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 Wqehia.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Wqehia.exe 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe File opened for modification C:\Windows\Wqehia.exe 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe File created C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job Wqehia.exe File opened for modification C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job Wqehia.exe File created C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wqehia.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main Wqehia.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\International Wqehia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe 2776 Wqehia.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2776 1376 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe 96 PID 1376 wrote to memory of 2776 1376 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe 96 PID 1376 wrote to memory of 2776 1376 8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c79e404ab329917ae6a0b1cfd4a9c7e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\Wqehia.exeC:\Windows\Wqehia.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵PID:21676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390B
MD5a5c0adb1dfa0bcb3c725294452c540b7
SHA16b529d807ecdbba61dd8c350ae3dc7fc8fc2ddbb
SHA256b123ebd855f74385b082aeb19ae2c0094296838b6a45edd1f6c3afc86e9a0455
SHA5129f9b79571aca7e6d5c559d67596695edceb1205f0efc70def392a363634f9eab16c358278e0cce7d1e44e66c440a1d226d102142a395eb8980667fb5108e7526
-
Filesize
134KB
MD58c79e404ab329917ae6a0b1cfd4a9c7e
SHA14c3fb19be315322bf60da1a4c2f1bb955120a80f
SHA25615ef91717ec79c73a69353ec4d58950ce9349d2e8a4b8895ee4c462c8f7ef303
SHA51264735178b0ac4f24ef9fce6cbbc53e25ffe1fdebf16f5b5054c99041c7fab106eb74c6839bbccd107c4c2f3e831c5c1321b54199ea6c2c126e23537335a906db