Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 17:49
Static task
static1
Behavioral task
behavioral1
Sample
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe
-
Size
117KB
-
MD5
a79f2947edc9daf185253fdd3dee4f74
-
SHA1
75abfcd09f0076697f58ccd02f3ed22f2e501cee
-
SHA256
725f6f3f86f718c4c170d09c687b9aef6e7caaceadf67230e1065197e0c3cc22
-
SHA512
c5d99453726dacd79ddbc1c57d67314aa1d68ac2d25990a576f5a3dfd1a65b2d163722450cbeb6097da6082269ec9828694a4fbc3a74d602344ccc045e2692a4
-
SSDEEP
1536:uzpoGDl31C8f6SOvaLzX+aXGrj9KABF9SPRFHquxMJOjvSaABsDAwvpKbKQ7LGuS:if6SOozOaXGrjdSP9EaA0ByKQ7Oj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3772 Afymoa.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File created C:\Windows\Afymoa.exe a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File opened for modification C:\Windows\Afymoa.exe a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Afymoa.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Afymoa.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afymoa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main Afymoa.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\International Afymoa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe 3772 Afymoa.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4064 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 3772 Afymoa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4064 wrote to memory of 3772 4064 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 87 PID 4064 wrote to memory of 3772 4064 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 87 PID 4064 wrote to memory of 3772 4064 a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a79f2947edc9daf185253fdd3dee4f74_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\Afymoa.exeC:\Windows\Afymoa.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD5a79f2947edc9daf185253fdd3dee4f74
SHA175abfcd09f0076697f58ccd02f3ed22f2e501cee
SHA256725f6f3f86f718c4c170d09c687b9aef6e7caaceadf67230e1065197e0c3cc22
SHA512c5d99453726dacd79ddbc1c57d67314aa1d68ac2d25990a576f5a3dfd1a65b2d163722450cbeb6097da6082269ec9828694a4fbc3a74d602344ccc045e2692a4
-
Filesize
390B
MD580ec751a70ee5b1b9a0db464dd033ee3
SHA1370a2a733787f8eef2592cc66b26cc6b87ef3ee7
SHA2564b54e0675a08b000dd43eb5b033427d9e2bae1e5a0361d4fa19358f52f570654
SHA512d6866e4acc4d09330cf2a0407490541897b344652c26e0c51491e14c43abb48a34f9c806895c27ab9bc68a065c293e85515857e94b8e917b629bb4f02276d2b6