Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe
-
Size
374KB
-
MD5
102757bd56dedaf5c41bcb0908e39f5f
-
SHA1
9e1d1227ac66941c4d52a067483a2725a0a00947
-
SHA256
2bab3a939ef64e3ceff3ab2a801e14b0687a0432bd76ccdc1fb592ad4bb37f13
-
SHA512
a89310c8f707f8f5a09ba4f479ffc88c085485e23a92d289ebd8501e12ed0db0eb30dd7f20d183dbc1ad4cbbac539c8c8dbc81537115bd9e1b4342fd818dae99
-
SSDEEP
6144:ISDpAg7c2UufeFcXjySDcvtWiMxVeXX/6z5HQx73CTgQz36FWqDcMEZVVmRPZ3hd:fmMnfkGyxvt9/ligQ76F3wDSPdhg1XAV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4536 ID_Nxp8471_Conversion.exe 4332 02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ID_Nxp8471_Conversion.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 2736 dw20.exe Token: SeBackupPrivilege 2736 dw20.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1676 wrote to memory of 4536 1676 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe 82 PID 1676 wrote to memory of 4536 1676 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe 82 PID 1676 wrote to memory of 4536 1676 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe 82 PID 1676 wrote to memory of 4332 1676 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe 83 PID 1676 wrote to memory of 4332 1676 102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe 83 PID 4332 wrote to memory of 2736 4332 02.exe 84 PID 4332 wrote to memory of 2736 4332 02.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\102757bd56dedaf5c41bcb0908e39f5f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\ID_Nxp8471_Conversion.exe"C:\Users\Admin\AppData\Local\Temp\ID_Nxp8471_Conversion.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4536
-
-
C:\Users\Admin\AppData\Local\Temp\02.exe"C:\Users\Admin\AppData\Local\Temp\02.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7123⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5054735a9e07c0d155284236f00536023
SHA1ae5273884cc4970e61cffa7f48581accecdd9181
SHA256711f0870d6d373648e01aa6203f7fe06d04e1f2ac152570f5bc337dba5d29de0
SHA512ca2ceb60508693c0670ca6dc6579c231c5e38f24fc35d89db9a159a488fd67d962978d269788839243dcf6ef3163604f584bb4fb59a9f73c165556c1f99443c3
-
Filesize
422KB
MD5cb50f552f5b70148f4bc4ab44cb17791
SHA170cc3ad2cc3bfe5431d0fdd6fc74a56ee464ea7f
SHA2567915ee78d902938052a8703ef25baa26771e181cc64a8d05664c11d980891f1d
SHA5127bb476554b94412031e12f1e3cb96d9ff90381a4ff960190c83c514d8a85f174883d5f987a4fb20fa7e3e45ffec9410a530f5891392b4da357e41c7b9613e96e