Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe
-
Size
195KB
-
MD5
a774f53e6652ecd19d4689d324e1474c
-
SHA1
19f8ec91738c416ce77ad85a61158d6656e3639a
-
SHA256
36cf1c72b86d85756d90c200e19555a466ced420da0be0b2d1341d8421251427
-
SHA512
1f0bb010803354eaa0154abba0b4d930118a0131bb393db703f314e450c2a1ebc48f5682f1ab15ebe0d9acf3cde49d44fbcafdb8ab5c158da2584a25c5414ae6
-
SSDEEP
3072:CMSncRzAO2Ist0JDy9Zht+s88lELPfvGQG9uqfAgJsnYv:xSncRlQmDy9Zmshc3gZfA2sn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2832 PROJECT2.EXE 5108 PROJECT2.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2832 set thread context of 5108 2832 PROJECT2.EXE 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PROJECT2.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PROJECT2.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 876 wrote to memory of 2832 876 a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe 84 PID 876 wrote to memory of 2832 876 a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe 84 PID 876 wrote to memory of 2832 876 a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe 84 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85 PID 2832 wrote to memory of 5108 2832 PROJECT2.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a774f53e6652ecd19d4689d324e1474c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\PROJECT2.EXE"C:\Users\Admin\AppData\Local\Temp\PROJECT2.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\PROJECT2.EXEC:\Users\Admin\AppData\Local\Temp\PROJECT2.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5ddc714ead7e14075ce909c1b9460c59d
SHA157000b8154786b2b1d090194b34fc4926555f2ce
SHA2566bf02180e4e48101c83f3763d25820f903de2f835d1ebfa848ed0712a4101472
SHA512907b3d71f9e3c839c632ff7b5c20e013fb6ea4c3fcb9a3892cfeaebfa11daef2d4faab2e740d744c3ff0dafd721ddf7e671aac743759623d3a36c44f754d5157