Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 16:22
Static task
static1
Behavioral task
behavioral1
Sample
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
141548dd830ee087060c586286ee5978_JaffaCakes118.exe
-
Size
373KB
-
MD5
141548dd830ee087060c586286ee5978
-
SHA1
9dc1fef5803f3e68e5508a05c4c6340a6741702c
-
SHA256
09ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60
-
SHA512
eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519
-
SSDEEP
6144:BvZQCqWExFjMQ0YM3i9rSeX/OHWbboa4FU3yZglJgr/VprMfY+u7UBWQM49mS8tc:5fqhxFjr0YeiJNXGUyClar/YuYB/M49d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3512 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\"" regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINWMT32 = "REGEDIT /S \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMTINSTA.REG\"" regedit.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 141548dd830ee087060c586286ee5978_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CMD.EXE -
Runs regedit.exe 2 IoCs
pid Process 984 regedit.exe 2092 regedit.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3512 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 82 PID 4920 wrote to memory of 3512 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 82 PID 4920 wrote to memory of 3512 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 82 PID 3512 wrote to memory of 4928 3512 services.exe 83 PID 3512 wrote to memory of 4928 3512 services.exe 83 PID 3512 wrote to memory of 4928 3512 services.exe 83 PID 4928 wrote to memory of 984 4928 CMD.EXE 85 PID 4928 wrote to memory of 984 4928 CMD.EXE 85 PID 4928 wrote to memory of 984 4928 CMD.EXE 85 PID 4920 wrote to memory of 1808 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 86 PID 4920 wrote to memory of 1808 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 86 PID 4920 wrote to memory of 1808 4920 141548dd830ee087060c586286ee5978_JaffaCakes118.exe 86 PID 1808 wrote to memory of 2092 1808 CMD.EXE 88 PID 1808 wrote to memory of 2092 1808 CMD.EXE 88 PID 1808 wrote to memory of 2092 1808 CMD.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\141548dd830ee087060c586286ee5978_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\services.exeC:\Users\Admin\AppData\Local\Temp\services.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\CMD.EXECMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:984
-
-
-
-
C:\Windows\SysWOW64\CMD.EXECMD.EXE /C REGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S "C:\Users\Admin\AppData\Local\Temp\WMT.GER"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs regedit.exe
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD5ddd2a5b59b0507f1b38d4b70c5493cd5
SHA16b958ea3468bf7fc085e9a9147e89a0299106974
SHA2564c84d8cda07990c1f9ea4e4bc6221f8b3241842fa33f2106d98734ac2ffb4227
SHA51258a285e36a20a0165b7904c6bc8c43402ad69b92d49bb5d51205adcb83205c746ce0ccbe607116f509eb78f6360def074a0fb41c7ac7c96e3eee44dfef365e68
-
Filesize
146B
MD5d38d353dcb8f69412efd564fbc97ec27
SHA144db24099c9d7f374cc9409b87aaa33c0e44b2a9
SHA256c13fc26863183a3cbcdf174ac2987942fc7c9294d6ab847dfebdd4f87e53cc15
SHA512fc4afc5ca760f283d3e2b3f46b16d875342266bcb8426b60af4c80c03d0fb4beeb0e58a42da7db64e85597aa3d3e7a05cae5cae0d51db7f5d9744e537d5a5338
-
Filesize
373KB
MD5141548dd830ee087060c586286ee5978
SHA19dc1fef5803f3e68e5508a05c4c6340a6741702c
SHA25609ae0ba8ed6ac83f73462c743f87fed4aff0d645d68e0fa151f63b41d621ad60
SHA512eac79862272363efbc152372ab458a74545468e42a0da70128bff5383dd6c73c202b688446e1cf305ec4223781839fd25faecbbd223a8b9d587a178fa8c61519