Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 17:44
Behavioral task
behavioral1
Sample
d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
d01be792134387bfa12c4c4db206338a
-
SHA1
edb80fd21c9d3082359e44cd244801c07902f28b
-
SHA256
6d0f958596f72608fa7263552583a1802673f135b5886545b60320cd60384bea
-
SHA512
4377a4ccee73e4e7448e4460792845bca36a202db8ecc86bf70f95fc164116d979b93fe4e5eab4334ca3143c73f5f797eb9a4aa5d3afbe4980a56407c88831a7
-
SSDEEP
49152:Hca33cLLfJhPYHMIclNA5uAOlTM9rMEkOhPGO:HcaHcXHPYHM9uJOlTMd/kOz
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0007000000023461-19.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4380 xy03.exe 4284 3317.exe 3452 DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe -
Loads dropped DLL 1 IoCs
pid Process 4380 xy03.exe -
resource yara_rule behavioral2/memory/5076-0-0x0000000000400000-0x000000000072C000-memory.dmp vmprotect behavioral2/files/0x0007000000023461-19.dat vmprotect behavioral2/memory/4380-22-0x0000000074230000-0x000000007423F000-memory.dmp vmprotect behavioral2/memory/5076-35-0x0000000000400000-0x000000000072C000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\lqcyc52.cyc xy03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 5008 4380 WerFault.exe 85 4900 4284 WerFault.exe 86 4196 4380 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xy03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3317.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3452 DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe 3452 DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe 3452 DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe 3452 DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4380 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 85 PID 5076 wrote to memory of 4380 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 85 PID 5076 wrote to memory of 4380 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 85 PID 5076 wrote to memory of 4284 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 86 PID 5076 wrote to memory of 4284 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 86 PID 5076 wrote to memory of 4284 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 86 PID 5076 wrote to memory of 3452 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 90 PID 5076 wrote to memory of 3452 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 90 PID 5076 wrote to memory of 3452 5076 d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d01be792134387bfa12c4c4db206338a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\xy03.exe"C:\Users\Admin\AppData\Local\Temp\xy03.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 3163⤵
- Program crash
PID:5008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 3643⤵
- Program crash
PID:4196
-
-
-
C:\Users\Admin\AppData\Local\Temp\3317.exe"C:\Users\Admin\AppData\Local\Temp\3317.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2163⤵
- Program crash
PID:4900
-
-
-
C:\Users\Admin\AppData\Local\Temp\DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe"C:\Users\Admin\AppData\Local\Temp\DNFÉñµ¶±ä̬Îȶ¨0404°æ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4380 -ip 43801⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4284 -ip 42841⤵PID:1656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 43801⤵PID:1872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5afa2caa743aec940e3122361fb6ae5fa
SHA188b4888ef21e523ec6fe05e5f456b1c446e818b8
SHA25698f4fdd3d20f3dc0b9f104f23a6a8c8bc4f6a57ceac0b58b09d51ad4bd79b0c9
SHA5122edeba6d9b880ed41327abd38e22ca0748ed826606f19f66321946d029fe1b9c4b8ae14c5a65cade84fbfc8c358560ff553190a06ee408f8fb5c42af55ca84ca
-
Filesize
1.7MB
MD5d66bd60d5a2bfb349b7dc05f3063a674
SHA19df52a5734302a5d2548b3a9de6282b448acaa3d
SHA256aadcde894a77d7e2c6637b81a25c33aa2cc558b16b40357bf7917a60a4a05383
SHA51287fd6483244f3f96949c7bc3477abe6279e88e63442f7bfd582bb6df50c40e68b6822c2139e264153f15513de1a7711520b98adaddd69c574b11f769fbcf7c91
-
Filesize
42KB
MD5529f6856d13d44057464afb139275bfb
SHA1b76107164f06b680d987f6b013b77cbe86e63050
SHA25617110d06615b68051f348b47209966a682cd21cc6ae1e139768e9b872e4865a9
SHA5122646b478dc3a37b9c67b679219bd15030c0c47ef8c3e613bb85f8be33499af9ba50383a740f0c4d6f0cb0fbd961973697cbe6e1061150763dd0c9bf37e3915fa
-
Filesize
31KB
MD53fe1d495631b1c996a48ea09443d6c2f
SHA144d38ec492f2527729813d8dccc70baa63ed0ac4
SHA256825ab9878222dda86a85ed5ccdb3000a48221c307334d60703fcf3f186248941
SHA512dfb2a48bba96c340ecd1aedd64d3a5a029f6811b2b4c639f3cc14fad6e6b1a911e712b6a4329741eb7d1ba973d3e654f968c37af25133905938ad47e93bce507