Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 03:57
Static task
static1
Behavioral task
behavioral1
Sample
ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe
-
Size
256KB
-
MD5
ba433b48963e5867305d0a0885e2f1a9
-
SHA1
95b3e061b6b1943f5f6d62738ebf05a04add7128
-
SHA256
7c86f9c3b1f8247e961d9186105c1c1f52e12423b5e3f0fdbee0ef2142ff534f
-
SHA512
b40e16c6e960e01ea41c9f08c182858d54ef5f96f752b24b2669f7a1397a4b434a18ee9c483d2f5b3b7f3805108f62399b0566c5b70e58c9b5009ac90b65332d
-
SSDEEP
6144:uQjLyQVSpPD9gtefEsp4yxQA8p9NbZDBV+9eIeuRbZ7n7rma:uQQD9gt4PRxoNPs9eIn73
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\PCGWIN32.LI5 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3532 wrote to memory of 3496 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 56 PID 3532 wrote to memory of 3496 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 56 PID 3532 wrote to memory of 3496 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 56 PID 3532 wrote to memory of 3496 3532 ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba433b48963e5867305d0a0885e2f1a9_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD501c9519868c43e8ddf4d73e95feb054a
SHA1dae50c60b89f3d349782f46146d9eaeab679075d
SHA2564b371b610000aadd547c6bd40cc303a8d71d5933442d1470dee28a8f5bf08b92
SHA512ab03fd65c3a402b97d753a6cf1af5eefc53412bca9c38dff1aa5520f5b706e4d4c13f64b1d05a7f29eefeb14a8dce52f2803c62a9d1ce8a63ea2963f2fa2d298