Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe
-
Size
212KB
-
MD5
edfdef59f92fee006518e57f2f8f01b8
-
SHA1
3b8065cd942b517b402af0cc93f41c0dfdd5dd15
-
SHA256
ae5169a9295d294594533c5cce04ff557eddeea30963e2eb81f5df6cdb6304cd
-
SHA512
f3b78c90f28047c6a8ac97a25fce50a002b718b451eb5c66edf39cd4a510dd3d95f652a1839b3c41d07033e00ca6d76ec41d2b6b01532430c6d80cbfbd62ff07
-
SSDEEP
3072:3d09mZ3vD7RpNh8xvv5z2LizudUfgF8qNO5GM5aEADQbkt/KyJh045Fmxb5k6Toc:3d09mVr7RLh8p5z2OCdULWvDTJle98c
Malware Config
Extracted
tofsee
94.75.255.140
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3588 duvlieg.exe 4680 duvlieg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\duvlieg.exe\" /r" edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2724 set thread context of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 3588 set thread context of 4680 3588 duvlieg.exe 84 PID 4680 set thread context of 404 4680 duvlieg.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4928 404 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duvlieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language duvlieg.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 2724 wrote to memory of 3112 2724 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 82 PID 3112 wrote to memory of 3588 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 83 PID 3112 wrote to memory of 3588 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 83 PID 3112 wrote to memory of 3588 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 83 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 3588 wrote to memory of 4680 3588 duvlieg.exe 84 PID 4680 wrote to memory of 404 4680 duvlieg.exe 85 PID 4680 wrote to memory of 404 4680 duvlieg.exe 85 PID 4680 wrote to memory of 404 4680 duvlieg.exe 85 PID 4680 wrote to memory of 404 4680 duvlieg.exe 85 PID 4680 wrote to memory of 404 4680 duvlieg.exe 85 PID 3112 wrote to memory of 1400 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 88 PID 3112 wrote to memory of 1400 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 88 PID 3112 wrote to memory of 1400 3112 edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\edfdef59f92fee006518e57f2f8f01b8_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\duvlieg.exe"C:\Users\Admin\duvlieg.exe" /r3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\duvlieg.exe"C:\Users\Admin\duvlieg.exe" /r4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2126⤵
- Program crash
PID:4928
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8232.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1400
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 4041⤵PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD58e1385d471972c513b646b1afe8b9f04
SHA16777cb18728eccc0fea95f85923690acc5ba7ad7
SHA25648f71c9f5df68a300d6dcffbfbf06eefc0c7cdaadddfcaf6b49c1a7bcff50749
SHA512389044bf2e4762a0d1db821e66e2c77f8451c52050111df8bac7621c0c19b01778df1192c662c6cf03c6f9b8a7311b43551e7dff16997b8e6f4cf2a0060e4b1f
-
Filesize
212KB
MD5edfdef59f92fee006518e57f2f8f01b8
SHA13b8065cd942b517b402af0cc93f41c0dfdd5dd15
SHA256ae5169a9295d294594533c5cce04ff557eddeea30963e2eb81f5df6cdb6304cd
SHA512f3b78c90f28047c6a8ac97a25fce50a002b718b451eb5c66edf39cd4a510dd3d95f652a1839b3c41d07033e00ca6d76ec41d2b6b01532430c6d80cbfbd62ff07