Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
bae8029c196c8ef62e40a58e27c7aed6
-
SHA1
e40d270ac925a3407b2c43db0dc3a919790b26f0
-
SHA256
1c8d8214f9fe72c984e3813567967a837fb251f7dc95d679581aab449398b720
-
SHA512
b015290cbc67ba8c31eff8c03edc98592d267d13b5888da764d5c1141fc96d13bfc8c972bda26ddcc67e34e8c45ade5717b90b5b1681067d73c72e8fe04fd9e9
-
SSDEEP
24576:8Nw2h9bKmKH7dhb8XkWDKMxG1fZPsa/9LPiS5FOH631ub:8a2rWzHxmX9uMnK9raw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 708 uGXmt.exe.exe 4240 crypteda.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 708 uGXmt.exe.exe 708 uGXmt.exe.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4576 wrote to memory of 708 4576 bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe 84 PID 4576 wrote to memory of 708 4576 bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe 84 PID 708 wrote to memory of 4240 708 uGXmt.exe.exe 88 PID 708 wrote to memory of 4240 708 uGXmt.exe.exe 88 PID 708 wrote to memory of 4240 708 uGXmt.exe.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bae8029c196c8ef62e40a58e27c7aed6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uGXmt.exe.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uGXmt.exe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\crypteda.exeC:\Users\Admin\AppData\Local\Temp\\crypteda.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD512f3f3620e4d70d75960e03229259eec
SHA1de49c0c4d96cd20b03d8e299881eb0ab83d0b25c
SHA2562b2581bfaf80a98f2c98c36dc7685e483b46116ffb27031cb3d880b27c3bc476
SHA512f37e55775a5e5c35d9e8abdc1850655559a958b4833bd64077f42eb49efaaf1641b792ef9435e32e8a0e86e132e0c099bafd0c0a0919dcf5f517a99de6abc0f7
-
Filesize
1010KB
MD55d39538a567364c27d0c85b04c504f54
SHA1e42c0bdc05080ad94624b4aeaced1b63883cfa70
SHA256ca7de5e9c0f9a3c4b80963273570c15d92a679cbb32b166cbb8aeb6633844709
SHA512e764218633f597f3d6a9f91c12396203d45e9c3a843271fca0baa03246b68c8c23801a03312f64ec86b5788cf3a4661b2ebf4301f533f094a512427634707971