Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe
-
Size
13KB
-
MD5
020a66f7c7ca9542d434b5e38874fb0d
-
SHA1
d1e8b96e90f5cc0553517d839b7143e5b6292ebf
-
SHA256
7cdc7c3b1150d794ad0c84fb14757b8662aa522f8896abbd910f9f0d27a305fe
-
SHA512
8c409161640655ff9b278290a7f4627054a061d003618e6352d7fd22978adb2114e69240bc8dcaaed10de99689810675597b81bb65cfce0ce0a6bcb4ecd51e64
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgx2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEM6107.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMB716.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMD35.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMB45C.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation DEMB26.exe -
Executes dropped EXE 6 IoCs
pid Process 4940 DEMB45C.exe 2480 DEMB26.exe 2156 DEM6107.exe 1272 DEMB716.exe 4956 DEMD35.exe 4620 DEM6392.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMD35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6392.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB45C.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM6107.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMB716.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4940 1468 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 91 PID 1468 wrote to memory of 4940 1468 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 91 PID 1468 wrote to memory of 4940 1468 020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe 91 PID 4940 wrote to memory of 2480 4940 DEMB45C.exe 95 PID 4940 wrote to memory of 2480 4940 DEMB45C.exe 95 PID 4940 wrote to memory of 2480 4940 DEMB45C.exe 95 PID 2480 wrote to memory of 2156 2480 DEMB26.exe 97 PID 2480 wrote to memory of 2156 2480 DEMB26.exe 97 PID 2480 wrote to memory of 2156 2480 DEMB26.exe 97 PID 2156 wrote to memory of 1272 2156 DEM6107.exe 99 PID 2156 wrote to memory of 1272 2156 DEM6107.exe 99 PID 2156 wrote to memory of 1272 2156 DEM6107.exe 99 PID 1272 wrote to memory of 4956 1272 DEMB716.exe 101 PID 1272 wrote to memory of 4956 1272 DEMB716.exe 101 PID 1272 wrote to memory of 4956 1272 DEMB716.exe 101 PID 4956 wrote to memory of 4620 4956 DEMD35.exe 103 PID 4956 wrote to memory of 4620 4956 DEMD35.exe 103 PID 4956 wrote to memory of 4620 4956 DEMD35.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\020a66f7c7ca9542d434b5e38874fb0d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\DEMB45C.exe"C:\Users\Admin\AppData\Local\Temp\DEMB45C.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\DEMB26.exe"C:\Users\Admin\AppData\Local\Temp\DEMB26.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\DEM6107.exe"C:\Users\Admin\AppData\Local\Temp\DEM6107.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\DEMB716.exe"C:\Users\Admin\AppData\Local\Temp\DEMB716.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\DEMD35.exe"C:\Users\Admin\AppData\Local\Temp\DEMD35.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\DEM6392.exe"C:\Users\Admin\AppData\Local\Temp\DEM6392.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD53882cd4d472e00e9ed218107d43ba4e7
SHA152fedad6cd4183588f10f22b3aaf6df5b18f8379
SHA2567753c7d1236136bf1f376799fe467c4be3c145f66a7b93fd48550fb1c1d48c51
SHA5128b5903dd4d97c47f382e09272aa8bc3c02287291ce8c8385adcd37bf7481b24f581fbbd9addff55ca67321c36fb0dc7a02763ce3c7adf8837d740fa14dbf5515
-
Filesize
14KB
MD5e46d9c6cd0716efa351e4b18b7bcc3b5
SHA18ff7f92d59a2d84dda427aef0fe923cadc487b77
SHA2569f1a1e6905137aad709a76d9dfa312415a8c16edfe4555de3416e55511aa32bd
SHA5129ac45d346796541308d7b2015698c4ae1df2275e68657107939e99b0714e54ce76f4ae54c64dab2e10b863294eeedd80d015705c2bb895ee9fd39a3aaeade3dd
-
Filesize
14KB
MD5dc83a981d766970bbd5c6b6117911009
SHA1c4ffecd96d19bd1ca365a856de943c539c4f38f8
SHA256c7d4805a80c481a27e4ef0a6ca9c7153b66ee1a8d9b2054b58e85bb1f97acfbc
SHA512738189fedef7280450e5f754d9edeb505c8f8f46a136fc65a44ea7686042f163de5c01d2dc5cf4e8b61693b64c96e37873513632e261634871c6bf1c3159b949
-
Filesize
13KB
MD543d7c2a8bf42128ca35be7865974cd98
SHA10f568884cc8b98c9076283abd3eb122f4905cdec
SHA2567e275171d7bced07d387492daeb2e054d014692a235e3063f1daab1e61155f79
SHA51219a9034629303c809b39949a0ef8934bf7079d14e0a42f64798cc4c47439aeede4e670cdcbf854d0acd8c0e8346b2663602be4b317c1649b83d9368ddb264ae5
-
Filesize
14KB
MD5b4a5a711a9924b04b49d70031bcfd231
SHA1d29c7b370e110e872d1c5894b7869ae88be87e1b
SHA256e93cb25d8e047bc6a9f62f77498aea1ad9c34df750320cf9a9a1a884b0c41dae
SHA512ca920d75e99dfce33f38c8e1de98bb1bfaa9d8d769be878cd1eb9d838beb3be34cd1e1f1433f09f0c2b8a76064bed089b762eb29322e0e4d354feb6c7b3b2c23
-
Filesize
14KB
MD51fb782494e0c471a8d70d6a935f16495
SHA16e40b7d624f1a4626310299c43a4e8949383f017
SHA256cd4f16c2f692984ee273c9a677fc813c7bd2854da4b4d094d3051dd55f2bcf9c
SHA512cb7789ffb2a74c2366b9763764e2d673e2bce71a68e65095d2b07253612f922bad5366b229e53c73fd080b8cd9dc2833441bd9006a4355ccd2e2997d63f37ae9