Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 06:18
Static task
static1
Behavioral task
behavioral1
Sample
d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe
-
Size
494KB
-
MD5
d144276564e42a5f6e5659c239c44084
-
SHA1
d9c984a7e14fb1a0286f60f9a48edd27c1b637b8
-
SHA256
bbd6ab9b45768fc524009df808635974bead3e79d887de6fd73fc84ac9c7dac6
-
SHA512
05a6e17c56d95cba81e44e8c93448e1f2c60db82213092f443a157a34bbc5528b0b75618544278b28886727cd81d4aadfacf2a9d88d273822f39ae7b3762f0d3
-
SSDEEP
6144:wWt1qBqBc0Agdj4Xz3c1OsOIZmwtweGUfT3w8M7pvi0hTaKohdS7b6l+RGY12Ak7:nt1qBKd24XdZmowMNCvi0TeXS71ZUAk7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BiffBot2a.exe -
Executes dropped EXE 3 IoCs
pid Process 2000 BiffBot2a.exe 1792 TibiaBoT.exe 4872 BiffBot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BiffBot2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TibiaBoT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BiffBot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3864 d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3864 wrote to memory of 2000 3864 d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe 83 PID 3864 wrote to memory of 2000 3864 d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe 83 PID 3864 wrote to memory of 2000 3864 d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe 83 PID 2000 wrote to memory of 1792 2000 BiffBot2a.exe 85 PID 2000 wrote to memory of 1792 2000 BiffBot2a.exe 85 PID 2000 wrote to memory of 1792 2000 BiffBot2a.exe 85 PID 2000 wrote to memory of 4872 2000 BiffBot2a.exe 86 PID 2000 wrote to memory of 4872 2000 BiffBot2a.exe 86 PID 2000 wrote to memory of 4872 2000 BiffBot2a.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d144276564e42a5f6e5659c239c44084_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\BiffBot2a.exe"C:\Users\Admin\AppData\Local\Temp\\BiffBot2a.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\temp\TibiaBoT.exe"C:\Windows\temp\TibiaBoT.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\temp\BiffBot.exe"C:\Windows\temp\BiffBot.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321KB
MD58c7600127b2584dba97050fddc3cd1f1
SHA19fec0af2af8290c486395e065e3be8e385ebd3f4
SHA2565d034b4e3eacd41bd7155498ff6a8cb0ac355b9bf2c7fc85870182da00dbac76
SHA51280b56aace544503267f7cafc3da41b0b52c23f80e4555be92c66de0f743d1b6900df055c7f3d3abbe059c3094d9bae0c85db4391c8ac813a016127b727754495
-
Filesize
485KB
MD510dff69269aa2fdda505d37e93f2e190
SHA1a8bba23298384539cdba3851178473dde14599cf
SHA256dfbef6e1f4d8d04731bc3b5ac10fd75ee21240dd1328a7aa4c88f4188f62d109
SHA512ce3e0eddf03be16816951569a9beb0bfefc6762ea66c9f57db6002042016d3b24e258f62a037ce4461808a7dbeafe6aade3fb7291c3ca74a037d4b64703dfe19
-
Filesize
208KB
MD5548820d1a0f4aa38c43893cd41f15eea
SHA112c7bac058f67096ca12beb277603e13315b2ae5
SHA2568e08c5b42d51af4e62a4b8cee5cb40766403e9daed8d92c42aa83a891268c813
SHA512a996fec0cb5f44f57876beff582b35bb796b16f2a8d9b776b7ef9645f41c64e8a077646a8cf9142b9f165399e1af479a0d1605c6cf111c68d80fe77e222e2bfe