Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe
-
Size
399KB
-
MD5
bc7c1125f696e59ce3c2bcf6ab552b9e
-
SHA1
f51bd1ec192d7b89df707219fd5990615995122c
-
SHA256
b27bc82511bef167d26e0033dcd91863f4e469018f92225906614029c4a16eb2
-
SHA512
564620988dc56dfce80f7076a74d7242a7007634aaba70f6641eb5407bdfddd29761a3d5d22804b567925f53d5ab0c13e12f825123b439cb1427e4cab319d56e
-
SSDEEP
6144:/LBchTO+M14IF2idZecnl20lHRxp3g8lk9ihl0/srEQpPK+e1FtEuxF+U2/kQp:z3ZF3Z4mxxnoEtlK+kt9T2MQp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 3.exe -
Executes dropped EXE 1 IoCs
pid Process 4820 3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\ 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\atmQQ2.dll" 3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135}\InProcServer32\ThreadingModel = "Apartment" 3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7147BD02-68AB-E135-89BD-023579BCE135} 3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4820 4020 bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe 84 PID 4020 wrote to memory of 4820 4020 bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe 84 PID 4020 wrote to memory of 4820 4020 bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe 84 PID 4820 wrote to memory of 4808 4820 3.exe 85 PID 4820 wrote to memory of 4808 4820 3.exe 85 PID 4820 wrote to memory of 4808 4820 3.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc7c1125f696e59ce3c2bcf6ab552b9e_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT" "3⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD595586abf9185ddf5685852bda8d7284a
SHA1be091ebdb8f2adf97d48064f7e90df03ee30b48a
SHA256ea27308d963b69b1dea8f6f224ca8a51546177a126e3916d17024c84fb1431bc
SHA512bcec887d462c80c72acb62ccddef28822d760a6ee32384cac186d1f185798fa84f31c856221f4c1a11b659b77cda7a9b37b6fc0d3e2d8cb6ca80b65e5de9b2c0
-
Filesize
142B
MD57a118aab14033f7de50341c044da8cfb
SHA141d68565b813c2206b7e4db4295343301c2eed9c
SHA256784e18e46f1043c2341d01085a943ad54245f7a49b93d243c89781c5d0de16c8
SHA512ab53fb3632020c36e8805bb1b9e3280458e05a07e1247a666507d41bc0af528174c0707266026ee1751957917b4bc29adb37d09741a7e3e457dd8942e581ba0b