Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe
-
Size
171KB
-
MD5
defc9d452668ea45d9ae227c7e03b297
-
SHA1
c557a904f86188c7c5f4f461f8c470442fda52c0
-
SHA256
7b85de170ce879dbcbb803d563d60735007f17eb336025cfc88aa5d1e4d30b86
-
SHA512
bb570c53261055b0fe8aa64407d7979e800f32ea5b93b0d97fefc8f75bfc55ab46440986749823968b88da62330930545531e308a2362499928083628d4b76e4
-
SSDEEP
3072:w6pQc+sSxnTrGadgsFqZeo4pwkhUmZr3hPsOraS87FYqjTZbn4TGz:w6p2sSxTrGvsFUejWyZr3hPswa1TZjxz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4600 defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3428 4600 defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe 84 PID 4600 wrote to memory of 3428 4600 defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe 84 PID 4600 wrote to memory of 3428 4600 defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe 84 PID 3428 wrote to memory of 4156 3428 cmd.exe 88 PID 3428 wrote to memory of 4156 3428 cmd.exe 88 PID 3428 wrote to memory of 4156 3428 cmd.exe 88 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4156 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\gloE07E.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\defc9d452668ea45d9ae227c7e03b297_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58B
MD55d988a8f6167896acd44e3857187ff1b
SHA12e82c0dd6bfd8c004c9aec24494f465e3ec569ed
SHA2562eed78ba99011f8ae76caadbe1321402fbabd2571e0e033a08b886ed8d8b03bb
SHA51213390d2ce68c4117b0f125eba329b753a25485b9d4a74f264802804f679cce25a3840419e4c780471dd87f8d51268a69e6c3c53cef2982e7fc13eb213de48f96