Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe
-
Size
141KB
-
MD5
f77122a2386f98eed9c98b766cff74a6
-
SHA1
1f7f67376bcd9dcaad62cc1a98af753657a49ffc
-
SHA256
6f790ea21f639b1afc03e40da93b1f6748e51844207ec99d2cfb7a7e303644e1
-
SHA512
daa2e6fd91ae88d70c294ef21f6c98f918436a2f2e5e4825afbbdbda156b8014472baa89d06eb3a5a735b6d3e5e9abfaa309aa399cb62842401b2a1198af4b8a
-
SSDEEP
3072:2Vr1hn2Yh/qLyDOk/q/pk7sZsQlf38jHYMtpSySLhClv3r42zceP:211thiLyDOk/q/p3raH1QySFO/rr
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language serifbatch.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe 412 serifbatch.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1492 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1492 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 82 PID 2520 wrote to memory of 1492 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 82 PID 2520 wrote to memory of 1492 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 82 PID 2520 wrote to memory of 412 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 84 PID 2520 wrote to memory of 412 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 84 PID 2520 wrote to memory of 412 2520 f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd.exe /C move /Y "C:\Users\Admin\AppData\Local\Temp\f77122a2386f98eed9c98b766cff74a6_JaffaCakes118.exe" "C:\Windows\SysWOW64\serifbatch.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:1492
-
-
C:\Windows\SysWOW64\serifbatch.exe"C:\Windows\SysWOW64\serifbatch.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:412
-