Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe
-
Size
14KB
-
MD5
17ce1129878d4a18b153c487f87f4f50
-
SHA1
bbf24086466ed820af34d2e7ba46b91096c32477
-
SHA256
60856fe8482547c19e743a1ccfa6264c8d2f6584ab2764019c43d32df46d7cd4
-
SHA512
d57aa78751492e176f50302b8061676ed957dcd08c041627d1dff438cea2a7eb50f88a6c2b01ab8c185a01bf510123c1d84ed03be3d75b74d30b60d38ab61ae1
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yh0:hDXWipuE+K3/SSHgxS
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM8ADB.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEME186.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM37B5.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEM8E12.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation DEME450.exe -
Executes dropped EXE 6 IoCs
pid Process 3164 DEM8ADB.exe 3824 DEME186.exe 3048 DEM37B5.exe 2008 DEM8E12.exe 4556 DEME450.exe 2136 DEM3ACD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEME450.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM3ACD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8ADB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEME186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM37B5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM8E12.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3624 wrote to memory of 3164 3624 17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe 90 PID 3624 wrote to memory of 3164 3624 17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe 90 PID 3624 wrote to memory of 3164 3624 17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe 90 PID 3164 wrote to memory of 3824 3164 DEM8ADB.exe 94 PID 3164 wrote to memory of 3824 3164 DEM8ADB.exe 94 PID 3164 wrote to memory of 3824 3164 DEM8ADB.exe 94 PID 3824 wrote to memory of 3048 3824 DEME186.exe 96 PID 3824 wrote to memory of 3048 3824 DEME186.exe 96 PID 3824 wrote to memory of 3048 3824 DEME186.exe 96 PID 3048 wrote to memory of 2008 3048 DEM37B5.exe 98 PID 3048 wrote to memory of 2008 3048 DEM37B5.exe 98 PID 3048 wrote to memory of 2008 3048 DEM37B5.exe 98 PID 2008 wrote to memory of 4556 2008 DEM8E12.exe 100 PID 2008 wrote to memory of 4556 2008 DEM8E12.exe 100 PID 2008 wrote to memory of 4556 2008 DEM8E12.exe 100 PID 4556 wrote to memory of 2136 4556 DEME450.exe 102 PID 4556 wrote to memory of 2136 4556 DEME450.exe 102 PID 4556 wrote to memory of 2136 4556 DEME450.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17ce1129878d4a18b153c487f87f4f50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\DEM8ADB.exe"C:\Users\Admin\AppData\Local\Temp\DEM8ADB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\DEME186.exe"C:\Users\Admin\AppData\Local\Temp\DEME186.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe"C:\Users\Admin\AppData\Local\Temp\DEM37B5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe"C:\Users\Admin\AppData\Local\Temp\DEM8E12.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\DEME450.exe"C:\Users\Admin\AppData\Local\Temp\DEME450.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\DEM3ACD.exe"C:\Users\Admin\AppData\Local\Temp\DEM3ACD.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD52589ec6b44821b727fc582779f7a7a4a
SHA180ba04dd341309b149bd564e30d658093f1eca76
SHA256f34984a691d27c9963df68f741f073c5c75d455409f09fe03ec944966cfdd0b6
SHA5126ebba5db693a04917c854901cc794b14bc218a3ba45a0eba205b23b8a41c25a4f9dd479a70c51731e2ad0350ef2242a6bbba6d361cfd96fe906f3984c325582a
-
Filesize
14KB
MD5837f1b92400b616d83477cf1b0c0ec84
SHA194c59b910b24ea21c7e4898d117cda332e7ebfe2
SHA2567e8d4c8d702a1d33da8ac2f9765917f548751aab4cd87cec51385baeb0902272
SHA5125d59ea31728825f28c0843d3d45cb89f32b8350bdc482c5ff0b77cd5632a53935435f1b5bc829bf8e99d786e2e791992c535c462cfef20ef57dbcf9e43e496f5
-
Filesize
14KB
MD54a88bc0a1487a192558c6e36e4937dd8
SHA10f19d9150147e8a6a4aba788c308f640a485a07f
SHA256010db036a41ad0c2792fd5efb8b269e6db31abb3a55baa7e883507f337d41216
SHA5127c4dc33c3b0e77c0d0127d7bd33984929c990bf5be6fc5e5db8f8c50c98c428cdd440498c6937605ee02364ec3ade12aef6f91bcbe6d41af8538c6b5577dd488
-
Filesize
14KB
MD506640ab3ff6860a3f6a2c38c3ac3f45c
SHA1868e6994b8325cfb6000a09f60d0a1b2777eb3f3
SHA2563216c938d626409fbde98f4f385b77b59feaddea241c4814dcdb4bc1c3c7724c
SHA512001699e246501267eab844bf683b2bdb9437e2fdb5229abc6b4ffa8825cc5ac2895b29410294417187495a70c5191ecd40f0ac80c889ea09c8e6b25472caea0e
-
Filesize
14KB
MD5ad53615ca1c33f31ca46b1e089990528
SHA17365de3f4188ee34260862273014333c2ff437b9
SHA256bc53cc7d5d9b8b0e97b1dff47d02a251ba3c3ac3600780042c13487bf39f55cb
SHA51246cdd6ea19a66e1a23a6cb48925e7051c2283913e3a75eba8eed723c001ebcbdb003d0fca588fa90cfc441473ac6493d5f6f6bf6c21f198555f59a0acf8ddd2d
-
Filesize
14KB
MD5be9630d6f7b0c9956ae84d8ceeebfc11
SHA1b0fa2990e3ef6cbfdb3b64d54235b5ddffae9645
SHA256abac69b77de9ab1078507fea26e2c22b782fb19304640b370c8eb2d6ddfc08e6
SHA512949e16380da2a908e1f6b6a90b7c12f9b4e96f0f5849d2855e0a2b3b35a469229fb5597becc44203702debac14cfde6fd2825cae359a65c6439f2049896f7b07