Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
feb4a1e95f3ac74c6e7a3b85a7a11834
-
SHA1
fca4199e3320a006453d16bb8ac105354d6581ff
-
SHA256
4192d1084d9dd28e293bdce815592fa71c8722d9c91083b8c8c9b8cfec061d49
-
SHA512
854fd8be770ec36243f7349cc1210364a3d7d941e23cdaa4316808bdc965bddcc000f6f7971e8fc116fd54b6912f62ea5b220f717e1b1dd28f0db2bd9290eb35
-
SSDEEP
49152:D2q3civpMQ9OFnvQNNSNuknmQo6O1g5XcvCt6CfKppWOM:DrciveQ9OFnv+4N1A6O16rcvpxM
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation m41l78u9uprxqjv.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation b6thynos8b04n66.exe -
Executes dropped EXE 3 IoCs
pid Process 4396 m41l78u9uprxqjv.exe 4004 b6thynos8b04n66.exe 4748 Protector-alrd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m41l78u9uprxqjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6thynos8b04n66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Protector-alrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4004 b6thynos8b04n66.exe Token: SeShutdownPrivilege 4004 b6thynos8b04n66.exe Token: SeDebugPrivilege 4748 Protector-alrd.exe Token: SeShutdownPrivilege 4748 Protector-alrd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4004 b6thynos8b04n66.exe 4748 Protector-alrd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4396 2452 feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe 82 PID 2452 wrote to memory of 4396 2452 feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe 82 PID 2452 wrote to memory of 4396 2452 feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe 82 PID 4396 wrote to memory of 4004 4396 m41l78u9uprxqjv.exe 83 PID 4396 wrote to memory of 4004 4396 m41l78u9uprxqjv.exe 83 PID 4396 wrote to memory of 4004 4396 m41l78u9uprxqjv.exe 83 PID 4004 wrote to memory of 4748 4004 b6thynos8b04n66.exe 84 PID 4004 wrote to memory of 4748 4004 b6thynos8b04n66.exe 84 PID 4004 wrote to memory of 4748 4004 b6thynos8b04n66.exe 84 PID 4004 wrote to memory of 2304 4004 b6thynos8b04n66.exe 85 PID 4004 wrote to memory of 2304 4004 b6thynos8b04n66.exe 85 PID 4004 wrote to memory of 2304 4004 b6thynos8b04n66.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\feb4a1e95f3ac74c6e7a3b85a7a11834_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\m41l78u9uprxqjv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\m41l78u9uprxqjv.exe" -e -p2pn8xu698ah0qb92⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\b6thynos8b04n66.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\b6thynos8b04n66.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\Protector-alrd.exeC:\Users\Admin\AppData\Roaming\Protector-alrd.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\B6THYN~1.EXE" >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5c5198aad190a58d59fa4cf9d548bc536
SHA1bed2e67fc1ca223daad46f6ca4089cf1d5e33b08
SHA2565f6f239087a40ff9025beffeecb6ecf0eb4c8f588ff0015b3ee9423f7ff5d804
SHA512fc6a7593130cfa516866a5bd9b6bcc70ec853da5eda3256db6dc09cb8451aac74fbd1964a7a75eb967adf319f8c325b6cac5d9791d5bc24a7edcbc211791b1fc
-
Filesize
2.0MB
MD5d747f50d679159a5c8f70af8c6f1229a
SHA1728b2cdbe38671c3f558dc4be90fd006339159df
SHA25656c7e379cdc925ed01ce7e48d19c608c69bc565e6ec7d3d9670099d1dd5ea62b
SHA512937f56d6bb1cad56e4fb916f46d5cdd02f5336f4511a28c1459095cf124ce61254efa518a0d0cd69102a44cc5255347d55f18100853dd0feaff96d775b453c68