Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe
-
Size
175KB
-
MD5
bb370ea3fd978255c46f678901f07933
-
SHA1
a2860e35b6d2aa5a38b9669b69cb66adffcd6330
-
SHA256
9e2a733100cf0950a930b85c3846a67f18b0a51e76a61abc13c5b7597a7053a1
-
SHA512
9cf74449d94864c17d2fe1555154f38c9607deaba74eac3f1e8cadc94d38e9a71afa576968173443a16f3309b732639e27427c6825cf7a65df2a2324e940e711
-
SSDEEP
3072:29r7km1Sihv1hfhxefD4ODtcvGia4WExhqCeiRJhPh1egYXea:bmLhvDhgbJ4GPCV3h1
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3076 dplaysvr.exe -
Loads dropped DLL 1 IoCs
pid Process 3076 dplaysvr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe" bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3760 3076 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dplaysvr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4320 wrote to memory of 3076 4320 bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe 88 PID 4320 wrote to memory of 3076 4320 bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe 88 PID 4320 wrote to memory of 3076 4320 bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Users\Admin\AppData\Local\dplaysvr.exe"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\bb370ea3fd978255c46f678901f07933_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 34363⤵
- Program crash
PID:3760
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- System Location Discovery: System Language Discovery
PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3076 -ip 30761⤵PID:464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD503a57fb675ac8eac500e588c83a6186e
SHA1209d8719f03ccbce0daf172835b9b85b03979f81
SHA256173bb029fc97187ea38e58d4037dfb9b7804ad5de4d62b9e3c10321c4ac4aedc
SHA5124b03b5ef0d5c4f7933155731f791ab6c00920883a94bb69efed498aa581fe91d8f0af64a9d2fb17db7b466818b98eaacd744eb4f941b624113c38a36592e7c22
-
Filesize
53KB
MD5970e3284abe9de5b5a7a03062d9c63c9
SHA1563cbf9569dfc6a8d33eeb5aec257ea1ce25abbd
SHA256a66596e160349d90817edd42a74fa0dd3660e38a46520d4a54e7aa225cf355f2
SHA5121716597fed66b66db185494d199739e6255d24c4e0ec652256f0bd49730a2a1e77081f3dd788f64dd46a559acc6dd74630a2fa58dfaa55573bbb836999318053
-
Filesize
884B
MD504bcae8a7bc7c9a45bba0c385e77120a
SHA1342019562da65dd0290466c6a1d00392d51b6b54
SHA256954eebeea30d81be278baeb2c8bda672ced4714b5d5906e270317ce44f512c88
SHA512c42f845a33a70b88f6e9b4b2e4b77f1d952108579d4db804c403394873e4967f57815021e89412030bc14c10b4b6e67a3ae46c0ea18ef6c8949a6a79c554e5c3