Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe
-
Size
646KB
-
MD5
06b92d6c76be3fd40ce44eb12774feb2
-
SHA1
2735b6ac837a2402ba5cdd1bf1793c7b7337339c
-
SHA256
b112c45475b30c2f94b1eeadf4fa2c284ba5b5354da25051a18d963ddab7b860
-
SHA512
3d1785132ab4d2676771d7ceed488c8695aa7522d0a9259c26e18989675b14bf6c2471b3afba9a4ceef759ad4d943c4a6b6caaa4d9a5f5a803688e5215d9a11e
-
SSDEEP
12288:XR3c8JzAyJLu+oQBfdPl2fYPLu/lTUEniLKUMbD1WFMEqUGG:XR3c6AyE+NBlPl7L2lTUoi+dnKmbG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2104 Kban0.exe 2760 Kban1.exe 3940 QQ.exe -
resource yara_rule behavioral2/files/0x00090000000233ef-4.dat upx behavioral2/memory/2104-8-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3940-26-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/2104-30-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3940-32-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\QQ.exe Kban0.exe File opened for modification C:\Windows\QQ.exe Kban0.exe File created C:\Windows\uninstal.bat Kban0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kban0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kban1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2104 Kban0.exe Token: SeDebugPrivilege 3940 QQ.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3940 QQ.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2452 wrote to memory of 2104 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 82 PID 2452 wrote to memory of 2104 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 82 PID 2452 wrote to memory of 2104 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 82 PID 2452 wrote to memory of 2760 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 83 PID 2452 wrote to memory of 2760 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 83 PID 2452 wrote to memory of 2760 2452 06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe 83 PID 3940 wrote to memory of 2636 3940 QQ.exe 85 PID 3940 wrote to memory of 2636 3940 QQ.exe 85 PID 2104 wrote to memory of 4332 2104 Kban0.exe 86 PID 2104 wrote to memory of 4332 2104 Kban0.exe 86 PID 2104 wrote to memory of 4332 2104 Kban0.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06b92d6c76be3fd40ce44eb12774feb2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\Kban0.exe"C:\Users\Admin\AppData\Local\Temp\Kban0.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat3⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\Kban1.exe"C:\Users\Admin\AppData\Local\Temp\Kban1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\QQ.exeC:\Windows\QQ.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD53e563f8bd128ad2fbebed6dc1123f4ed
SHA1d8951a7e9c8a9d77aec67ce756d1c15c998c033b
SHA256fe45159d1bc8ffc4a81c7bb92daccd85ed688e848ed60071f365a87c1d637340
SHA5122d403f785b94249822ed73465099671a9f652c282d9affa1e3560eca806a38739409a9587c62699f38f77f94824ebb630fb79d9f90ec4c8041cd8bb31c2bd422
-
Filesize
328KB
MD56ff7294765026d3f74e5c2d111460590
SHA15ecd3bc899761ff2a312186a27941e62fc4c5351
SHA256c9bf41b9c56d75e0b08c26f1bc1d1aa32831fca2ecea9f8d8993ef0a4594fc9f
SHA51297bff9644722945a0873add2a9e66f24d225315d3b2e0294a0bbf4bf38f45f21681add008d6b9b1ece8ff09c84b1d0ccdf06c017d86a2a0aacfe01206143bf06
-
Filesize
136B
MD59fc21a6ada20429e4027c9d18895366c
SHA1a9bc15297ce86b8b628d1080053d75f62d5ba862
SHA256d89d3cd9c47a0effcd876f9107f9d99b8420fe72b283cd68af47b4e2254ef031
SHA512f1d4cbbcd0f15f0c25491d73565c73adfc45f7fa727f31551f75758b35a0f50a7442da91a6b7547ab702d78d6156d173bf4dce4b1d1a3da741e0bb67e8b2ecdd