Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 07:34 UTC
Behavioral task
behavioral1
Sample
fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe
-
Size
784KB
-
MD5
fe0fc4697ba657b752715617a0a0927a
-
SHA1
c245c4420da5e0f9d4b3d826546bc1af2ad5129d
-
SHA256
9173e6228b5fc87965595c14258746ab987ba27a2275941a656b4acd33574012
-
SHA512
59454db295faf1c8548c913ae3a75aab9c092a1d2ac82f5d7c274a7b233f06790eb027f074dd8de2ea3287d6915501e9dd8f0365c1d88c9843bbd7ef3d7d35d1
-
SSDEEP
12288:fh24r4ddezt3ow+kpv0qT+yBTQqatfb5hQKGQSgWoBFQpOwjabdelqYy:fh24ztYfuBEx36gW42ubde4
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/216-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/216-13-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3856-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3856-27-0x0000000005310000-0x00000000054A3000-memory.dmp xmrig behavioral2/memory/3856-20-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/3856-30-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral2/memory/3856-31-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3856 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3856 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/216-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x0008000000023421-11.dat upx behavioral2/memory/3856-12-0x0000000000400000-0x0000000000712000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 216 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 216 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe 3856 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 216 wrote to memory of 3856 216 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe 83 PID 216 wrote to memory of 3856 216 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe 83 PID 216 wrote to memory of 3856 216 fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fe0fc4697ba657b752715617a0a0927a_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:3856
-
Network
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request100.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
100.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5f3b75ba5591498b703551af1a9122453
SHA1d14f43d0bb20471bf1aa1bfe08b1554ce864800b
SHA256713431ffe00a79e67035904ab52db069a653b8e71b136bedec949f0b4606b036
SHA5129c9181f4add0c2d2e35a7f1bbc22ba7f263a6b192e37b4d463c3b6867b9e0502ab226e8c9ee02a740f8e97bb0ad72b235f2489c6c593357d42a639ec04fbadc4