Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2024, 14:28
Static task
static1
Behavioral task
behavioral1
Sample
ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe
-
Size
556KB
-
MD5
ccf9fd46a69a406c6a58f5159b329965
-
SHA1
3dac39eac3061e2e83d1a07bcdc7bd2a6c025662
-
SHA256
eb49b4f516251a86ef5d49ab634e25e7a1f88a1855cb46799081183048a844ee
-
SHA512
6a9a0dffee79a6435281203f6ebf1e657242dc8a26116d3b21c26f8e58a9d7c967f4fc9d728ef1e72ce5c890a4d1b52d11e379cc8d8389cf4b502c59cd63dbd0
-
SSDEEP
6144:dXGR7onTiRtFc4EhQfIytKzSzLjCUBkNG7NgY1MW2wiWQD9+Wjc:dg7oItFNfIyt3BuMNgY1M0iW/W
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3500 Remc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\"" ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erwfguyhjnxcj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remc\\Remc.exe\"" Remc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3500 set thread context of 1208 3500 Remc.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3788 ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe 3500 Remc.exe 3500 Remc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4200 3788 ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe 95 PID 3788 wrote to memory of 4200 3788 ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe 95 PID 3788 wrote to memory of 4200 3788 ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe 95 PID 4200 wrote to memory of 968 4200 WScript.exe 96 PID 4200 wrote to memory of 968 4200 WScript.exe 96 PID 4200 wrote to memory of 968 4200 WScript.exe 96 PID 968 wrote to memory of 3500 968 cmd.exe 98 PID 968 wrote to memory of 3500 968 cmd.exe 98 PID 968 wrote to memory of 3500 968 cmd.exe 98 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99 PID 3500 wrote to memory of 1208 3500 Remc.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ccf9fd46a69a406c6a58f5159b329965_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remc\Remc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Roaming\Remc\Remc.exeC:\Users\Admin\AppData\Roaming\Remc\Remc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵PID:1208
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410B
MD5837b54af2c8d285fb69d719cc9061206
SHA1b31b75216a46b744eb0d89dd9885431a8ecde820
SHA256353bf067c7071e2b6904205a0f6755433a8711a4b2a9b48ac32ff538463f0e46
SHA5126cc4e846538cf16de26004343a157a565fe9730ad5c253e3fb6c64098405849e732bd2216fbdecd52cc3cbcb84e24e4dca23b5fd4f68bcdc0e73d485479e2311
-
Filesize
556KB
MD5ccf9fd46a69a406c6a58f5159b329965
SHA13dac39eac3061e2e83d1a07bcdc7bd2a6c025662
SHA256eb49b4f516251a86ef5d49ab634e25e7a1f88a1855cb46799081183048a844ee
SHA5126a9a0dffee79a6435281203f6ebf1e657242dc8a26116d3b21c26f8e58a9d7c967f4fc9d728ef1e72ce5c890a4d1b52d11e379cc8d8389cf4b502c59cd63dbd0
-
Filesize
79B
MD54e843c2e9ec957b9d5f46ff88dc9b4d4
SHA1afe160aca491da8f6ecc1ea201ad59fc15ad3a03
SHA2565a434dee1be9471b0a5282ed1112edbbebdb801c7a6cd95da36988639d7fb99d
SHA512e9de0b423f2deb87c33630d03411fa28dfa868cd353b908677f41c140b35c42de7010355febce0f0c64d54a3902815a290285446238971ea03892439dabb21e6