Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
b8d304752d36902f26a08685014dacce_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b8d304752d36902f26a08685014dacce_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b8d304752d36902f26a08685014dacce_JaffaCakes118.exe
-
Size
41KB
-
MD5
b8d304752d36902f26a08685014dacce
-
SHA1
7a0c98dcd0066c8252829e90248def791043135a
-
SHA256
1dc0ad1f392e7a115ef558abde9005dbd22ab38ec8e36eca75cd990c631ce212
-
SHA512
701b76a6267cc63cbfe241d5fb168657ee141eb4c4c269c3c982afc9a605a573c726cd426b41eefeb0b8076659c7a3c9a7ce3ac56dda2f66093360ebc8104a3e
-
SSDEEP
768:v2/E3pVDeALOjwOrmnY5FnTGxM5E7TRPoZq6r43jlW1rctrcQiS5kz+k:v13LPqfZ3f5E7TRPUUg1rqQ6kik
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation b8d304752d36902f26a08685014dacce_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation hqhitdtf.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation hqhitdtf.exe -
Deletes itself 1 IoCs
pid Process 908 hqhitdtf.exe -
Executes dropped EXE 2 IoCs
pid Process 908 hqhitdtf.exe 1980 hqhitdtf.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\hqhitdtf.exe b8d304752d36902f26a08685014dacce_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\hqhitdtf.exe b8d304752d36902f26a08685014dacce_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8d304752d36902f26a08685014dacce_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqhitdtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqhitdtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID b8d304752d36902f26a08685014dacce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001} b8d304752d36902f26a08685014dacce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32 hqhitdtf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32 hqhitdtf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node b8d304752d36902f26a08685014dacce_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4752 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 84 PID 4020 wrote to memory of 4752 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 84 PID 4020 wrote to memory of 4752 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 84 PID 4020 wrote to memory of 908 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 85 PID 4020 wrote to memory of 908 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 85 PID 4020 wrote to memory of 908 4020 b8d304752d36902f26a08685014dacce_JaffaCakes118.exe 85 PID 908 wrote to memory of 2084 908 hqhitdtf.exe 87 PID 908 wrote to memory of 2084 908 hqhitdtf.exe 87 PID 908 wrote to memory of 2084 908 hqhitdtf.exe 87 PID 908 wrote to memory of 1980 908 hqhitdtf.exe 88 PID 908 wrote to memory of 1980 908 hqhitdtf.exe 88 PID 908 wrote to memory of 1980 908 hqhitdtf.exe 88 PID 1980 wrote to memory of 3416 1980 hqhitdtf.exe 89 PID 1980 wrote to memory of 3416 1980 hqhitdtf.exe 89 PID 1980 wrote to memory of 3416 1980 hqhitdtf.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8d304752d36902f26a08685014dacce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b8d304752d36902f26a08685014dacce_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s2⤵
- System Location Discovery: System Language Discovery
PID:4752
-
-
C:\windows\SysWOW64\hqhitdtf.exe"C:\windows\system32\hqhitdtf.exe" -kill c:\users\admin\appdata\local\temp\b8d304752d36902f26a08685014dacce_jaffacakes118.exe /install2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s3⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\windows\SysWOW64\hqhitdtf.exe"C:\windows\system32\hqhitdtf.exe" -kill c:\windows\syswow64\hqhitdtf.exe /install /install3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\SafeSearch.dll /u /s4⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5b8d304752d36902f26a08685014dacce
SHA17a0c98dcd0066c8252829e90248def791043135a
SHA2561dc0ad1f392e7a115ef558abde9005dbd22ab38ec8e36eca75cd990c631ce212
SHA512701b76a6267cc63cbfe241d5fb168657ee141eb4c4c269c3c982afc9a605a573c726cd426b41eefeb0b8076659c7a3c9a7ce3ac56dda2f66093360ebc8104a3e