Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 01:28
Static task
static1
Behavioral task
behavioral1
Sample
b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe
-
Size
533KB
-
MD5
b9d63b7de002889a56ba8e565cc0dcf2
-
SHA1
b34aaf7785f336455d4e6685da2340edef4fa8b6
-
SHA256
bebf857dfb4ff7fa7206266c725300a5c58026a03ee253fcabbccf4b66f85cde
-
SHA512
e39db303de3ed6529ba665821cd42c45df57c3a4f46bc47c317fd8ea4594617f949d3d958b64ceea361b0a2cc51142d243ed7c6f249f5447ae72faf165ced59d
-
SSDEEP
12288:oZcWo20Yoj44v7X2pPEawpgbCTBP7Z2xUuv03Mjz2:oSWo20YqTG1KxV7EUD3M3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 4444 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4444 5108 b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe 84 PID 5108 wrote to memory of 4444 5108 b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\\run.jar" "C:\Users\Admin\AppData\Local\Temp\b9d63b7de002889a56ba8e565cc0dcf2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
PID:4444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5f2607244d71e97c5fc7cbdad20edaa8b
SHA1ce115bd61a7f2d344c38cc87dcd4989d800cf836
SHA2561c004e78bed0a80f0f46e6fa094db3a4c8102fac3cf95579e6f0eb72bdd9dc7d
SHA5123671b503561724eae650570d2e518c01332bd7a7a2e6d5ee064701ad4ba02be80ac97936c27e68333c2f42bc4b7ecda533ea6e3e0e1324c56bc52a8e33c332d5
-
Filesize
493KB
MD5c19a44b3edacff5cf649076f201ecc51
SHA11ab24529dc97596080dcbd65aff5d0c76aa8fea2
SHA256d076998d51aeba1b6943972b7baacbe415dfb1a02468c4716111cb7c70295624
SHA512ea3b6ef95f8d7d867a0d5ff28c1597502aa0fe737a27c2115c67e61dfa1a0d3ec1881eea2c8295f67915e7e41153972c1f7d887172b790fc75a915eea30e2e1f