Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe
-
Size
230KB
-
MD5
c14f5b189d2cada501dbba93c2953f48
-
SHA1
d9f5f353e4dc2edee709654fba417f07c520e883
-
SHA256
a6a49ca55953f5563187b739b9700374742c2e7abeeb3d3340327f3dfaec5ed9
-
SHA512
bdb771eed27daa2691e16af631237a3db93027679969dcb3e158e705ab7d0ee074e462854dbdd21960780445e424a581d052420622b166c535426a7231910972
-
SSDEEP
6144:i8e87uZW93Xa5AjW84WRbU2gia/7mW2K1KRD2GWys6v:/e87uoKM4W3gNCWxgRD0ynv
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4320 wrote to memory of 4212 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 84 PID 4320 wrote to memory of 4212 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 84 PID 4320 wrote to memory of 4212 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 84 PID 4320 wrote to memory of 2328 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 85 PID 4320 wrote to memory of 2328 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 85 PID 4320 wrote to memory of 2328 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 85 PID 4320 wrote to memory of 4844 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 86 PID 4320 wrote to memory of 4844 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 86 PID 4320 wrote to memory of 4844 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 86 PID 4320 wrote to memory of 1944 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 87 PID 4320 wrote to memory of 1944 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 87 PID 4320 wrote to memory of 1944 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 87 PID 4320 wrote to memory of 1980 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 88 PID 4320 wrote to memory of 1980 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 88 PID 4320 wrote to memory of 1980 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 88 PID 4320 wrote to memory of 1168 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 89 PID 4320 wrote to memory of 1168 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 89 PID 4320 wrote to memory of 1168 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 89 PID 4320 wrote to memory of 3872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 90 PID 4320 wrote to memory of 3872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 90 PID 4320 wrote to memory of 3872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 90 PID 4320 wrote to memory of 2084 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 91 PID 4320 wrote to memory of 2084 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 91 PID 4320 wrote to memory of 2084 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 91 PID 4320 wrote to memory of 1000 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 92 PID 4320 wrote to memory of 1000 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 92 PID 4320 wrote to memory of 1000 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 92 PID 4320 wrote to memory of 2872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 95 PID 4320 wrote to memory of 2872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 95 PID 4320 wrote to memory of 2872 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 95 PID 4320 wrote to memory of 1104 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 96 PID 4320 wrote to memory of 1104 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 96 PID 4320 wrote to memory of 1104 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 96 PID 4320 wrote to memory of 3772 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 97 PID 4320 wrote to memory of 3772 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 97 PID 4320 wrote to memory of 3772 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 97 PID 4320 wrote to memory of 548 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 98 PID 4320 wrote to memory of 548 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 98 PID 4320 wrote to memory of 548 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 98 PID 4320 wrote to memory of 408 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 99 PID 4320 wrote to memory of 408 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 99 PID 4320 wrote to memory of 408 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 99 PID 4320 wrote to memory of 2532 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 100 PID 4320 wrote to memory of 2532 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 100 PID 4320 wrote to memory of 2532 4320 c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe 100 PID 3772 wrote to memory of 2420 3772 cmd.exe 114 PID 3772 wrote to memory of 2420 3772 cmd.exe 114 PID 3772 wrote to memory of 2420 3772 cmd.exe 114 PID 2532 wrote to memory of 4124 2532 cmd.exe 115 PID 2532 wrote to memory of 4124 2532 cmd.exe 115 PID 2532 wrote to memory of 4124 2532 cmd.exe 115 PID 4844 wrote to memory of 4648 4844 cmd.exe 116 PID 4844 wrote to memory of 4648 4844 cmd.exe 116 PID 4844 wrote to memory of 4648 4844 cmd.exe 116 PID 1944 wrote to memory of 1648 1944 cmd.exe 117 PID 1944 wrote to memory of 1648 1944 cmd.exe 117 PID 1944 wrote to memory of 1648 1944 cmd.exe 117 PID 1000 wrote to memory of 4676 1000 cmd.exe 118 PID 1000 wrote to memory of 4676 1000 cmd.exe 118 PID 1000 wrote to memory of 4676 1000 cmd.exe 118 PID 1168 wrote to memory of 2800 1168 cmd.exe 119 PID 1168 wrote to memory of 2800 1168 cmd.exe 119 PID 1168 wrote to memory of 2800 1168 cmd.exe 119 PID 2872 wrote to memory of 4716 2872 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c14f5b189d2cada501dbba93c2953f48_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Usuários2⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\Alwil Software" /E /T /R Usuários3⤵
- System Location Discovery: System Language Discovery
PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R Administradores2⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\Alwil Software" /E /T /R Administradores3⤵
- System Location Discovery: System Language Discovery
PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\Alwil Software" /E /T /R SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\Alwil Software" /E /T /R SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Usuários2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\AVAST Software" /E /T /R Usuários3⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R Administradores2⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\AVAST Software" /E /T /R Administradores3⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Arquivos de programas\AVAST Software" /E /T /R SYSTEM2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cacls.execacls "C:\Arquivos de programas\AVAST Software" /E /T /R SYSTEM3⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\Alwil Software" /E /R SISTEMA2⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Alwil Software" /E /R SISTEMA3⤵
- System Location Discovery: System Language Discovery
PID:4168
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\Alwil Software" /E /R Usuários2⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Alwil Software" /E /R Usuários3⤵
- System Location Discovery: System Language Discovery
PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\Alwil Software" /E /R Administradores2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\Alwil Software" /E /R Administradores3⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R SISTEMA2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Alwil Software" /E /R SISTEMA3⤵
- System Location Discovery: System Language Discovery
PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R Usuários2⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Alwil Software" /E /R Usuários3⤵
- System Location Discovery: System Language Discovery
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files (x86)\Alwil Software" /E /R Administradores2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files (x86)\Alwil Software" /E /R Administradores3⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\AVAST Software" /E /R SISTEMA2⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\AVAST Software" /E /R SISTEMA3⤵
- System Location Discovery: System Language Discovery
PID:428
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\AVAST Software" /E /R Usuários2⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\AVAST Software" /E /R Usuários3⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k cacls "C:\Program Files\AVAST Software" /E /R Administradores2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cacls.execacls "C:\Program Files\AVAST Software" /E /R Administradores3⤵
- System Location Discovery: System Language Discovery
PID:4124
-
-