Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
c1e63560dc0c632686e1c2f6fb40775a
-
SHA1
08eda0406a0383005ff7a60966e032afebe0d2ab
-
SHA256
374f94bc94a6eebc3f8784085f361a30a8caba2c2c60c84572cea8933c3f6e49
-
SHA512
f5d35dfab8fc78584187b21c63887530f57ff9025fce65059a4a004d3c1b490bbfb20fb39c3b23a7bcd70113ff90e5616c4c20bd349d686ec82f2ba74868f311
-
SSDEEP
24576:LUvxLsmtUuoX5382om3Cg/iDfPc/7tNETop2FmYaS0LtVOmvjkiSs9OfccyM4NQf:oJ7WuW5XgTK7th2jaSYtgySWNI4gF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3112 wrar393.exe 4196 setup.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wrar393.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3112 wrar393.exe 3112 wrar393.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2280 wrote to memory of 3112 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 93 PID 2280 wrote to memory of 3112 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 93 PID 2280 wrote to memory of 3112 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 93 PID 2280 wrote to memory of 4196 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 94 PID 2280 wrote to memory of 4196 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 94 PID 2280 wrote to memory of 4196 2280 c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe 94 PID 4196 wrote to memory of 208 4196 setup.exe 95 PID 4196 wrote to memory of 208 4196 setup.exe 95 PID 4196 wrote to memory of 208 4196 setup.exe 95 PID 208 wrote to memory of 396 208 cmd.exe 97 PID 208 wrote to memory of 396 208 cmd.exe 97 PID 208 wrote to memory of 396 208 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c1e63560dc0c632686e1c2f6fb40775a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\ wrar393.exe"C:\Users\Admin\AppData\Local\Temp\ wrar393.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3112
-
-
C:\Users\Admin\AppData\Local\Temp\ setup.exe"C:\Users\Admin\AppData\Local\Temp\ setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c at 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\at.exeat 00:22 C:\Windows\system32\cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\ setup.exe"4⤵
- System Location Discovery: System Language Discovery
PID:396
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:81⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5aa78e0ac5cb33a254fe18f516543ece5
SHA196aa657d4e85f42a2a783387224010f38b5268af
SHA256647a0483cf74f4099112267004494809a8333165951f705c07978ab114e6d0e0
SHA5123dd5ca02a410c263256b927d3f87ef768657bf482a9e0b237b599e26274ec9491f7b1a8c8e14ca450f00e89d177f8aa5f2e599201020b2d984c90497dab10ba2
-
Filesize
1.3MB
MD5b3b121ccac92a71152d3aa6a783927d4
SHA1b51e3dcd8edaad1cb77550a9cfd6266c4925c630
SHA25631c84f5d740eb7b497fcfd5e963123d0a1a94afe6edfd18cfc23b2d1234078fb
SHA512e8f1308aed05f027eace8b0d6dd8a0e4d391748f822a6e665a4e46b88a9f2bf278d3b93c884bdf66b6c94be1223ec7d5ad60fd149a9e20b47b96c56a235cea39