Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe
-
Size
348KB
-
MD5
b06eed81f84cb14877870a084249dd7c
-
SHA1
c1899cd96b5cb62a3245ffd8f1a7e2583af044c7
-
SHA256
4f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe
-
SHA512
b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3
-
SSDEEP
6144:jlt0FBuElqMfzP+qVoEw8vApAWjg/qQYdpsh8I1lfJCpN53KhpKVH/5B2BLyOSMK:xKaExfr+qVrwYApTgXYw88fwupqfM+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4392 Svghost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\_Svghost.exe Svghost.exe File created C:\Windows\SysWOW64\_Svghost.exe Svghost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4392 set thread context of 2052 4392 Svghost.exe 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Svghost.exe b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe File opened for modification C:\Windows\Svghost.exe b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe File created C:\Windows\Delet.bat b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4908 2052 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svghost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4392 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 88 PID 3028 wrote to memory of 4392 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 88 PID 3028 wrote to memory of 4392 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 88 PID 4392 wrote to memory of 2052 4392 Svghost.exe 89 PID 4392 wrote to memory of 2052 4392 Svghost.exe 89 PID 4392 wrote to memory of 2052 4392 Svghost.exe 89 PID 4392 wrote to memory of 2052 4392 Svghost.exe 89 PID 4392 wrote to memory of 2052 4392 Svghost.exe 89 PID 4392 wrote to memory of 2540 4392 Svghost.exe 91 PID 4392 wrote to memory of 2540 4392 Svghost.exe 91 PID 3028 wrote to memory of 4732 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 92 PID 3028 wrote to memory of 4732 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 92 PID 3028 wrote to memory of 4732 3028 b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b06eed81f84cb14877870a084249dd7c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Svghost.exeC:\Windows\Svghost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵PID:2052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 124⤵
- Program crash
PID:4908
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2540
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Delet.bat2⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2052 -ip 20521⤵PID:2328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD58c844080436bf4513b773e434d067278
SHA1371fcefe7b168ae2666992276fa413b0d6068c0e
SHA256ea4df1a75c60896077884a21389a6757af9bcf963cf0ccfee6f68f513d348a8c
SHA51222eb8009dc761a94d64a79bc43d9f675ab0c4d864884823bc51fb913ec1e2e33f708d6864556e272fb227065ab355f1e8d230969b3cd1723254bdd5575c664db
-
Filesize
348KB
MD5b06eed81f84cb14877870a084249dd7c
SHA1c1899cd96b5cb62a3245ffd8f1a7e2583af044c7
SHA2564f5113291c089577e0e55ed1f5bccfc8844cb0d52e3193d8620ae0c6ceecbcbe
SHA512b0bdc4c35849b954073fc95f722d9f9fcdeda6064763c7946c5e15e9a318823303f9196767ff022d2a810125cf39fa28f2887fa8c3fd248b17e22bdcf2527de3