Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 20:38
Static task
static1
Behavioral task
behavioral1
Sample
251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe
-
Size
356KB
-
MD5
251fc88ffb763925fc860ffde94cf9b0
-
SHA1
b1c31c6d2069c2fbb8830d331bf278a3348e1c94
-
SHA256
25f714d1afcc851fe3761d40d639375eefc64bf03e7423d3d75de76fbd52c159
-
SHA512
fb73edfb48a194b3144fbae984cc4dbaca340062ee4dc951e038f10b857a90bdec9bbdcd02c321bf53045519f486c74ecdedec7f65fc15862033475b439a94ec
-
SSDEEP
6144:7vbx8O8A+buvc1zO7ySeIObnOY0o0MDJMR5VoIP2T4LWE9maZY:7/LoMeXAMCR5VoI2w9maZ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3604 eOp2tdgqrHUH.exe -
Executes dropped EXE 2 IoCs
pid Process 3472 eOp2tdgqrHUH.exe 3604 eOp2tdgqrHUH.exe -
Loads dropped DLL 4 IoCs
pid Process 3400 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 3400 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 3604 eOp2tdgqrHUH.exe 3604 eOp2tdgqrHUH.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SjagXRvcxQU = "C:\\ProgramData\\I7sc5jyzS5JF2P\\eOp2tdgqrHUH.exe" 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3836 set thread context of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3472 set thread context of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3604 set thread context of 2028 3604 eOp2tdgqrHUH.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eOp2tdgqrHUH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeARMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eOp2tdgqrHUH.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3836 wrote to memory of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3836 wrote to memory of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3836 wrote to memory of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3836 wrote to memory of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3836 wrote to memory of 3400 3836 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 86 PID 3400 wrote to memory of 3472 3400 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 87 PID 3400 wrote to memory of 3472 3400 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 87 PID 3400 wrote to memory of 3472 3400 251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe 87 PID 3472 wrote to memory of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3472 wrote to memory of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3472 wrote to memory of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3472 wrote to memory of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3472 wrote to memory of 3604 3472 eOp2tdgqrHUH.exe 88 PID 3604 wrote to memory of 2028 3604 eOp2tdgqrHUH.exe 89 PID 3604 wrote to memory of 2028 3604 eOp2tdgqrHUH.exe 89 PID 3604 wrote to memory of 2028 3604 eOp2tdgqrHUH.exe 89 PID 3604 wrote to memory of 2028 3604 eOp2tdgqrHUH.exe 89 PID 3604 wrote to memory of 2028 3604 eOp2tdgqrHUH.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\251fc88ffb763925fc860ffde94cf9b0_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\ProgramData\I7sc5jyzS5JF2P\eOp2tdgqrHUH.exe"C:\ProgramData\I7sc5jyzS5JF2P\eOp2tdgqrHUH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\ProgramData\I7sc5jyzS5JF2P\eOp2tdgqrHUH.exe"C:\ProgramData\I7sc5jyzS5JF2P\eOp2tdgqrHUH.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /i:36045⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD558b7bea119b837626cc42b60819f1444
SHA1f2d1417792f68072087ea12787ba3ba99febc2f7
SHA256d3aed88f32b5aee67bdbf017714e790d48ccd638aa56c5cd6cc355200853778d
SHA5126a7477ae713c81292f1c078420f1d9597316da7862a0d104eb9c64e3ea17bb5c77a21ccefb5043bf54689393ffdeb7afff0484f7e359449b72533ec6dc59273b
-
Filesize
356KB
MD5251fc88ffb763925fc860ffde94cf9b0
SHA1b1c31c6d2069c2fbb8830d331bf278a3348e1c94
SHA25625f714d1afcc851fe3761d40d639375eefc64bf03e7423d3d75de76fbd52c159
SHA512fb73edfb48a194b3144fbae984cc4dbaca340062ee4dc951e038f10b857a90bdec9bbdcd02c321bf53045519f486c74ecdedec7f65fc15862033475b439a94ec