Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe
-
Size
420KB
-
MD5
bc5ed93a16efb2f651e1f11ca5f63af6
-
SHA1
6dd5f69073ddb90f5bd31513c9246416ee15e51f
-
SHA256
178932bd601a343e4d336ddfd0543baece4becc7b35869fe2ae7431243724758
-
SHA512
29b8ae7b825ee3e0e9270f1cede229d5a1ee3b9338b7d53687b8e98c566a041a8a63d1c3005a302678e7605216c619e44e877d31c0a5a5da588f7d23165e3ead
-
SSDEEP
6144:J/0uoMI62w243WiGOeriNeAHS6ODHmAu2thUz00acEzcnWIXMbx9VWcFHk:JJ73WZmNfy6ODGTaUg/AWIXs5WoE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation ENJOY-~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation enjoy-soft1.exe -
Executes dropped EXE 5 IoCs
pid Process 4044 ENJOY-~1.EXE 1012 enjoy-soft1.exe 3556 ENJOY-~1.EXE 2704 Setup.exe 4536 Utility Mang.exe -
resource yara_rule behavioral2/files/0x0009000000023430-3.dat upx behavioral2/memory/4044-4-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/4044-16-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3556-20-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3556-37-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Utility Mang.exe Setup.exe File opened for modification C:\Windows\Utility Mang.exe Setup.exe File created C:\Windows\Uer.BAT Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Utility Mang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENJOY-~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enjoy-soft1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ENJOY-~1.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4536 Utility Mang.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4044 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 84 PID 4936 wrote to memory of 4044 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 84 PID 4936 wrote to memory of 4044 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 84 PID 4044 wrote to memory of 1012 4044 ENJOY-~1.EXE 87 PID 4044 wrote to memory of 1012 4044 ENJOY-~1.EXE 87 PID 4044 wrote to memory of 1012 4044 ENJOY-~1.EXE 87 PID 4936 wrote to memory of 3556 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 88 PID 4936 wrote to memory of 3556 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 88 PID 4936 wrote to memory of 3556 4936 bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe 88 PID 1012 wrote to memory of 2704 1012 enjoy-soft1.exe 89 PID 1012 wrote to memory of 2704 1012 enjoy-soft1.exe 89 PID 1012 wrote to memory of 2704 1012 enjoy-soft1.exe 89 PID 2704 wrote to memory of 1508 2704 Setup.exe 92 PID 2704 wrote to memory of 1508 2704 Setup.exe 92 PID 2704 wrote to memory of 1508 2704 Setup.exe 92 PID 4536 wrote to memory of 3608 4536 Utility Mang.exe 93 PID 4536 wrote to memory of 3608 4536 Utility Mang.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc5ed93a16efb2f651e1f11ca5f63af6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"C:\Users\Admin\AppData\Local\Temp\enjoy-soft1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Uer.BAT5⤵
- System Location Discovery: System Language Discovery
PID:1508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ENJOY-~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556
-
-
C:\Windows\Utility Mang.exe"C:\Windows\Utility Mang.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD5a22dfb0055131ddaf228e3d0a35948fd
SHA18097dbb30cf73bc88146882a3a77d9e7fec0b93b
SHA256f487ccc4f8c3d1ca61421ee17e4bbcbe6a6fa562640595162029fc1e15404177
SHA512e7502c82c81c519eff1c8b0a31d819c9f4de2d96bb240f8b79a2a043b380428542522164afb7b270e04f07c28fe96334ff10925197e51414768d3237b79ee82d
-
Filesize
603KB
MD5e34bb36cd573d0b8f6600fa74d55319b
SHA13ca8b1f5f68bb05367af57efad823e01d163c599
SHA2562d015636a64b4fb5545577da672d055376239db5c2d9d79bcbf4cd1b60972dae
SHA51232df80f123ed79753a9a096333017069277d08cf6800082a23b3afd0f7c0e8136ce417a821e793e5b7d41897cfcc092037f1fd9f08a4629409d483a960d2b823
-
Filesize
355KB
MD52cd5631e374dfaa51252bcc2d39a514d
SHA1cb5bdf1b92f48ad9c1401550b76293d750f23fc4
SHA256bdad534481f11ec5384e28993d8080b7f8152347e723056354e9d2622424aa7c
SHA51291ff61d83d8e1b8475f87d2d7565a23bd1b03904959311f112eec17cd23b5174f4320f66cc2d364a0146f1c78df0443834619b2cb0a95fc941cceb1566807964
-
Filesize
132B
MD5aaf8434df1f8c6c6ed749ab01d1c22c6
SHA1fa41fb89750fdeb128237140bcf4a0b8752f05ea
SHA256be4ea232c5a9877e3c943a4738b18a8a4ec605a9a0562c00e89967f451769a0b
SHA512bba9f6c1f4a63fcc756a05fa5ab900b28fa16ea7a7fd7342333073bcbcb1d9d36f2705a3d8a0b2b0c5d9466804ab7c0e1451d1c092b7acfd424d0ab6cc3266cd