Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 23:18
Static task
static1
Behavioral task
behavioral1
Sample
26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe
-
Size
141KB
-
MD5
26ed75f24f23cb0d42ada6b200cf99ec
-
SHA1
71fe1d82dc721478dd4957c27df1c430fd2b7854
-
SHA256
c87ac5f7b9521a3355f60a0b526eac8aba93d41a32d1c16473ab4b5100bfc005
-
SHA512
069227b8b1a334ad1e48f20a40d615669c9d9228b7a3fcd01829c9a8d9256a73ed3fe95e5eaf3f24d750f0b0c5218e77a567aa1263f80bd9c02278d954a23fbf
-
SSDEEP
3072:ZGu9BlfzWIbXWm+w0Jz5iyhC33O+99/ABUC+BciLb1vQyoFYkTNiP4Oy1Ek:Z/0uodC33O29AqCQ14FjRiP4xl
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 628 ppi.exe 116 ppi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 628 set thread context of 116 628 ppi.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 116 ppi.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3984 wrote to memory of 628 3984 26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe 85 PID 3984 wrote to memory of 628 3984 26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe 85 PID 3984 wrote to memory of 628 3984 26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe 85 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87 PID 628 wrote to memory of 116 628 ppi.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26ed75f24f23cb0d42ada6b200cf99ec_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:116
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5380b9372ec84759cc38caeb166c618c3
SHA1508810be3f0969377207795040b3bd0e95955b9f
SHA25670e9fdb3b9e717e18816093b718200ca42ec202280c1ba281ecc91839d37c01a
SHA512d3e1d96a0fb6425a8fcaeabf8d20c853a8fa2a8210c0d0886396ee6716fd4c5879cf9ea66bf014f9c50341b1e1616307482b977779a510debd6d63c26a1091a6
-
Filesize
164KB
MD5d31d600bbdc5a27f174252df5d3ccc01
SHA17a93cef8500d12c00678ee13e728036dd843cb35
SHA25697770efd6a2c1ede7e8aabb53419380d2fa4221d9b1dace6c1c59a5203f15459
SHA51263b40061a9ebb4cfbd2e580bf5d31eb08e5ed0cb1823b2aea7ae85b48e008db63e6831dd1c004ef8a593e83db7eced7486659e881a62611da1d6bf509941601b