Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe
-
Size
201KB
-
MD5
d0cbd3cc267eeef814bb93f713d7d5da
-
SHA1
67ac446219b20ac3e6fd24e4acdb2f33e8aa2097
-
SHA256
dfeed846f1550a7966c8ea06079fd6ab99e094eaed5d3b83ffff097d2d4021b6
-
SHA512
65588742eebc73ac8ef6ccd6526017fbe524c6a27c641457c64a1755d1ae2ae0798193de7ad151d187f82efd0dc6a82da42903a60660d387aa602f1c4422e47a
-
SSDEEP
3072:kIatQqMlm/aMawNOud4W+DM8VC9vY7tSx2CYXNouBQkchxyUjoY:OtXMluZiqD9vYpSwCKodhkUjL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe -
pid Process 2144 ARP.EXE 844 ARP.EXE 3432 cmd.exe 2508 cmd.exe 5004 cmd.exe 4512 cmd.exe 3980 ARP.EXE 4060 cmd.exe 1192 cmd.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\temp1.txt cmd.exe File created C:\Windows\SysWOW64\temp2.txt cmd.exe File opened for modification C:\Windows\SysWOW64\temp2.txt cmd.exe File created C:\Windows\SysWOW64\temp1.txt cmd.exe File created C:\Windows\SysWOW64\temp2.txt cmd.exe File created C:\Windows\SysWOW64\temp1.txt cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1188 1624 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1624 wrote to memory of 5004 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 89 PID 1624 wrote to memory of 5004 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 89 PID 1624 wrote to memory of 5004 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 89 PID 1624 wrote to memory of 4512 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 91 PID 1624 wrote to memory of 4512 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 91 PID 1624 wrote to memory of 4512 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 91 PID 5004 wrote to memory of 3980 5004 cmd.exe 93 PID 5004 wrote to memory of 3980 5004 cmd.exe 93 PID 5004 wrote to memory of 3980 5004 cmd.exe 93 PID 4512 wrote to memory of 2144 4512 cmd.exe 94 PID 4512 wrote to memory of 2144 4512 cmd.exe 94 PID 4512 wrote to memory of 2144 4512 cmd.exe 94 PID 1624 wrote to memory of 4060 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 100 PID 1624 wrote to memory of 4060 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 100 PID 1624 wrote to memory of 4060 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 100 PID 4060 wrote to memory of 844 4060 cmd.exe 102 PID 4060 wrote to memory of 844 4060 cmd.exe 102 PID 4060 wrote to memory of 844 4060 cmd.exe 102 PID 1624 wrote to memory of 3432 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 106 PID 1624 wrote to memory of 3432 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 106 PID 1624 wrote to memory of 3432 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 106 PID 1624 wrote to memory of 1192 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 108 PID 1624 wrote to memory of 1192 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 108 PID 1624 wrote to memory of 1192 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 108 PID 1624 wrote to memory of 2508 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 110 PID 1624 wrote to memory of 2508 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 110 PID 1624 wrote to memory of 2508 1624 d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0cbd3cc267eeef814bb93f713d7d5da_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 2842⤵
- Program crash
PID:1188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp2.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c arp -a >%windir%\system32\temp1.txt2⤵
- Network Service Discovery
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 16241⤵PID:60
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551B
MD5703ae12ae7a6e024e9e9ced651889d7d
SHA1eddb3a63ec8100ccde65d0217923da1cd9396c55
SHA256281d10434f1c2d6e47bd1e157146b894f057f8205213667251077930ec45981f
SHA512a7c6ee9fee76ac4522f11261c33f9050d8f6bedd0f4f4510d3d18717d8e354b099c913e6e4d05f3868b9999056fe93c8aa83f66cfea7bc78edbde45cd5746b09