Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
18/09/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe
-
Size
98KB
-
MD5
e93b8f5dc41f87a69fcf19115e985860
-
SHA1
51c55e7ee1d68c26918c1d6e5082dd60f08cde6d
-
SHA256
ab2b8fecd3eabfd9fb63c8fc11b4fb1dd1c439517a1290853af9897d313536e2
-
SHA512
787bfdc8fad1d9cdf52f58d07ce91fab86f5b9a77891523722e1e71fb1087ee43fa07d1557158ce4b6fb982d30c2a208103c0d032b7bd6a3cec1254ff0c1b081
-
SSDEEP
1536:DOoZ86iHPT3qqj7XHLLvXArePDNlv9AEQKzcVsN9+GUROW3zC1hDaMrAJg7Ub+SJ:DdjsnvXtNlebocVsnUROMzC1NAJQO
Malware Config
Extracted
tofsee
64.20.54.234
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3080 dold.exe 4724 dold.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\dold.exe\" /r" e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3716 set thread context of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3080 set thread context of 4724 3080 dold.exe 89 PID 4724 set thread context of 5016 4724 dold.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 408 5016 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 3716 wrote to memory of 4652 3716 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 87 PID 4652 wrote to memory of 3080 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 88 PID 4652 wrote to memory of 3080 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 88 PID 4652 wrote to memory of 3080 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 88 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 3080 wrote to memory of 4724 3080 dold.exe 89 PID 4724 wrote to memory of 5016 4724 dold.exe 90 PID 4724 wrote to memory of 5016 4724 dold.exe 90 PID 4724 wrote to memory of 5016 4724 dold.exe 90 PID 4724 wrote to memory of 5016 4724 dold.exe 90 PID 4724 wrote to memory of 5016 4724 dold.exe 90 PID 4652 wrote to memory of 3076 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 94 PID 4652 wrote to memory of 3076 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 94 PID 4652 wrote to memory of 3076 4652 e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e93b8f5dc41f87a69fcf19115e985860_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\dold.exe"C:\Users\Admin\dold.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\dold.exe"C:\Users\Admin\dold.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 3206⤵
- Program crash
PID:408
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6121.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 50161⤵PID:4488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD529ae634b924626f108a4857622116511
SHA1f293e14cda8bb3118184ed0cb47f37204ce7c9d5
SHA2563663aa1e7897d2e6a4d0a0661a2c0a2e1f75dde26878b21632db1b883dded2a5
SHA5128bb34df5a03af6f3b738cde5e5ebf70f4c4016c8c2cf38c350aad04670cbc113d0bddd191b88d694ab473f1a664e5ed765dd98793f2917c705410db3836e22f6
-
Filesize
98KB
MD5e93b8f5dc41f87a69fcf19115e985860
SHA151c55e7ee1d68c26918c1d6e5082dd60f08cde6d
SHA256ab2b8fecd3eabfd9fb63c8fc11b4fb1dd1c439517a1290853af9897d313536e2
SHA512787bfdc8fad1d9cdf52f58d07ce91fab86f5b9a77891523722e1e71fb1087ee43fa07d1557158ce4b6fb982d30c2a208103c0d032b7bd6a3cec1254ff0c1b081