Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 00:13
Behavioral task
behavioral1
Sample
fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe
-
Size
769KB
-
MD5
fb273fcdc29af424cda3607500c60b98
-
SHA1
51b2bb61e87d07e61901d2087942ef71b6dc20ad
-
SHA256
c41ac9475f9cf98355758e757040f4d7ece9f58e5308715bc511f72a231b1613
-
SHA512
79ee6265b72ebae004e47dadb79df9326b74448485e822507681fb7e5438e7f2e798b729e3c46a8d1d9b9fbfe58db9bf9426d252b7ec1e2ad43733e89119a540
-
SSDEEP
12288:6CqIuMQh1EUedx2mZ6ivA1jwHSr/ROSQ8upuDi6VWSe3aG0I+O81AYoURW8BKNP:6RIuMWedx20MwyrcSUQdWvjU1ASY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1232 svchosty.exe 4804 svchosty.exe -
resource yara_rule behavioral2/memory/4632-0-0x0000000000400000-0x00000000004C3000-memory.dmp upx behavioral2/files/0x00090000000233f6-8.dat upx behavioral2/memory/1232-12-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1232-16-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4336 4804 WerFault.exe 84 3508 4804 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosty.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1232 svchosty.exe 1232 svchosty.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4632 wrote to memory of 1232 4632 fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe 82 PID 4632 wrote to memory of 1232 4632 fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe 82 PID 4632 wrote to memory of 1232 4632 fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe 82 PID 1232 wrote to memory of 4804 1232 svchosty.exe 84 PID 1232 wrote to memory of 4804 1232 svchosty.exe 84 PID 1232 wrote to memory of 4804 1232 svchosty.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb273fcdc29af424cda3607500c60b98_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\svchosty.exe"C:\Users\Admin\AppData\Local\Temp\svchosty.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 4364⤵
- Program crash
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 4564⤵
- Program crash
PID:3508
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 48041⤵PID:2240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4804 -ip 48041⤵PID:4948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD55a2bebecff3806d59462205061c54688
SHA1ac80e073d32f9f3b17d150969e7729627072b80e
SHA25602c623f0f0a60f06b16f4b40306b26e71b047d35eaa0195982696225c5d57e1f
SHA51289b6012ec78d69067cbceb89a7cce6c75415c1d0dee87c16c3e142c68b283c510cc3a02687b084bf6689355d604ea41f970ef66ddef9742c9d8601d89a4836ed