Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 08:50
Behavioral task
behavioral1
Sample
cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe
-
Size
105KB
-
MD5
cf2698bbd827384c2d80ce7260730dfa
-
SHA1
b2dfbb6eb14761517c0376fea844e3e898b4fe05
-
SHA256
6c74a34552008d0fad98199544cfe3463ae4b783969997206c9503d826006f37
-
SHA512
4caec1ea40b13e412b74d9ac5f8147fc16b20eb554f457723fc97539b870cb38c750b2125bea19b238a07ab49a44b7394d4a5ad9a6f8d341162c6a4a61d7625a
-
SSDEEP
3072:3ZlsN/vCtko2SYgnZoRHdrHx5GXBwLWNI3:JlsNJo2ShZoldrPGXB5I3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4680 GB4BA-tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GB4BA-tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1408 wrote to memory of 4680 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 84 PID 1408 wrote to memory of 4680 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 84 PID 1408 wrote to memory of 4680 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 84 PID 1408 wrote to memory of 4452 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 88 PID 1408 wrote to memory of 4452 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 88 PID 1408 wrote to memory of 4452 1408 cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cf2698bbd827384c2d80ce7260730dfa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exeC:\Users\Admin\AppData\Local\Temp\GB4BA-tmp.exe http://creatonsoft.com/drv32.data "C:\Users\Admin\AppData\Local\Temp\GB4BB-tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\tmp.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5e8c0f02e2fe5af6159590d245178cb15
SHA1f890f9721f87fc0e83eba14546fe0232b872dc4f
SHA256393646c4038c1431b332041e68a94a1e085f249b6f0b856d7fbd163c09295e16
SHA512352fc9cfb3aa2636391eb5ec5577ea5fafd3a37af20a781846fa7db5566196b3ad0e7fdd33ffab56949009f9f712d0e3377c47644e71f2186a28deb8cf077033
-
Filesize
149KB
MD5b433088a544ac4f2307108af859da646
SHA19ef08188ba1a20d2f0cb5a76435de75a11a57c14
SHA256315ae503e54fc45b70f2c0c2567a9f40144f2ac0555f43be3e5106d2ca4da277
SHA512db44bc16d5a97f9df662881070e32dcedf92d40658d42c6fd8b3efe26217100e4ca2b743c5243fd5ac81e98873cf7acad039d6b7de12ed9d13ee2df399166e3e
-
Filesize
50B
MD501419d91b0883bc354b89a3577c451a1
SHA17c3911d3d4e2a72610abf4470d39dddd7cb63805
SHA256a54298c6c68619d9b60dea41534fdcc95cbdde5a6e9f8323658e594ee1330ca3
SHA5127f08e25014b313d70c6b443e61f9e795fee3f35358c824a89ecd97809fa9e68fc300ea1607a2d37b0346a54ccaf5e135f7ef885ca15f36543fca747e7aedb700