Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 23:34
Static task
static1
Behavioral task
behavioral1
Sample
b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe
-
Size
114KB
-
MD5
b57d7a7921db66b055bbfd447e26b9f1
-
SHA1
de3d345049865ad06a7179ac8f1c1a79d731b0f5
-
SHA256
0cf5b808717d24b95748844d0af60e814848f5cb811c2b0da152cc062e63869c
-
SHA512
836f0f0a89375731eb2781e54821942b8ca37205dcc81859405fe324c24a01680ae52d2793b86d0f735ed9e061a848e830fdef9cd4e3764e19766a597d08c039
-
SSDEEP
3072:7KBb1jGSXBQ5bc3uLTCwos555YjoqT0EFIb:81jGSX8b/LTwsaoL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2380 wrote to memory of 4600 2380 b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe 87 PID 2380 wrote to memory of 4600 2380 b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe 87 PID 2380 wrote to memory of 4600 2380 b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b57d7a7921db66b055bbfd447e26b9f1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Amj..bat" > nul 2> nul2⤵
- System Location Discovery: System Language Discovery
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD548e20df0c48d3d18d422fc757526a483
SHA160ba7f361c0a3f4c85426c824910f241f427ea3e
SHA256d9e228cbe1c86e17336b8fd783d9bb0f627a61b01888bf6a49e33b0945f612e9
SHA51265f4b9864e4fd3883c7a76dc4cdc2ae82b6c3de3fcd8c7428affd63a3a7d11c2e24e764c3b5c937538e90d19ea0815cd10df6fd62c755cc798f54cec97f0d307