Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 06:06
Behavioral task
behavioral1
Sample
b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe
-
Size
403KB
-
MD5
b25bfb1a934a87e7a4c507a913309230
-
SHA1
b69115304882c063973cc63dfd38d63291977df2
-
SHA256
cf47ed4ad574d5795013ffd6192447854ce56e68fa12983a8f285e1656087892
-
SHA512
8cbe20eb559da5f174e8eb700a8e361fd94a42dee71b7f908f5b63a9d99a7e14a6b15e1a4d20da5709dc2d30de1071485b47392954a99e79fe62bd09a549a2d2
-
SSDEEP
6144:1Ey+E5CZfR0o+Ht1TvtOKlNHi1jbhlI6/PbkS3jlua5ZkfgUzLNK9PGRV:2DE5Cdyo+Ht1TvYKTHGn3vua7kfgPOn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1680 Upovya.exe -
resource yara_rule behavioral2/memory/4496-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/files/0x000e0000000233fa-9.dat upx -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File created C:\Windows\Upovya.exe b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File opened for modification C:\Windows\Upovya.exe b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Upovya.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job Upovya.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 43284 1680 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Upovya.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main Upovya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe 1680 Upovya.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4496 wrote to memory of 1680 4496 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 87 PID 4496 wrote to memory of 1680 4496 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 87 PID 4496 wrote to memory of 1680 4496 b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b25bfb1a934a87e7a4c507a913309230_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\Upovya.exeC:\Windows\Upovya.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 8003⤵
- Program crash
PID:43284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1680 -ip 16801⤵PID:48104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390B
MD57de786224d7dadffbbe620cf958339d8
SHA1ddaf4f4987f86751837ae70e2c8da6599624bb12
SHA2567c310e391d892d6d56a41bffc89559539e8c46a03ccf7a227d4fd469ece338ed
SHA512e209b6e0d7beef12c4846ed18c2240c82498a196389f49b2d8ae06a33d898b7c6fb4b2bf1c56eccd64fead5e4238ff9e119f505d94a942b5b78a3e50bd58717c
-
Filesize
403KB
MD5b25bfb1a934a87e7a4c507a913309230
SHA1b69115304882c063973cc63dfd38d63291977df2
SHA256cf47ed4ad574d5795013ffd6192447854ce56e68fa12983a8f285e1656087892
SHA5128cbe20eb559da5f174e8eb700a8e361fd94a42dee71b7f908f5b63a9d99a7e14a6b15e1a4d20da5709dc2d30de1071485b47392954a99e79fe62bd09a549a2d2