Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe
-
Size
184KB
-
MD5
dd8b1b0b9002f34b6de1ce5795af7044
-
SHA1
21a258520bc8a5752bd301fdc30246e2d7b09cf1
-
SHA256
49caadac601106fea44e5865d240e71989b737a27968cf07a585cb6aa7b506d5
-
SHA512
291cdbd385222f9c5569b00446f2288db97a069c56de0f90bbc6e045d8630132a246dc1ce283350ee101a1e9b01a8e6edf4356b637768a0735d433d3b8bf4d28
-
SSDEEP
3072:6Xj0wZchwJVqMuS4OX0ggDDIotbJKbkrQa:azZ4wzZuS4OXRmDnbJka
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2000 set thread context of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2040 set thread context of 3124 2040 svchost.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings svchost.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 1328 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 1328 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 2040 svchost.exe 3124 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 2000 wrote to memory of 1328 2000 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 85 PID 1328 wrote to memory of 2276 1328 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 86 PID 1328 wrote to memory of 2276 1328 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 86 PID 1328 wrote to memory of 2276 1328 dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe 86 PID 2276 wrote to memory of 2040 2276 cmd.exe 88 PID 2276 wrote to memory of 2040 2276 cmd.exe 88 PID 2276 wrote to memory of 2040 2276 cmd.exe 88 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 2040 wrote to memory of 3124 2040 svchost.exe 89 PID 3124 wrote to memory of 1088 3124 svchost.exe 92 PID 3124 wrote to memory of 1088 3124 svchost.exe 92 PID 3124 wrote to memory of 1088 3124 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dd8b1b0b9002f34b6de1ce5795af7044_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\cmd.execmd.exe /c run.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\svchost.exesvchost.exe4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\reg.vbs"6⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292B
MD5344f0e480669a6cfd147877470601f46
SHA164a32bcf575b29267f4d2f1f834ce9cb12640dec
SHA256258def3e3c6d2f23d29a96209218ba58f40dbe644938452dcfc48fd113a7bea6
SHA512cd06b8630ac28b936a041566a85dde8f1c799f3dae952540f8bd07845d81ec3dae2f58b12866c9e5c6fdc5357d2cf181e87e61da641f6b2bea46f6ffaa7ef700
-
Filesize
11B
MD5d1c56374fff0243832b8696d133b7861
SHA1f4d236fdec2fd03914189c3b26e5cb0dfea9d761
SHA2568e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6
SHA512e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452