Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe
-
Size
14KB
-
MD5
27a289531660a32c1cec535bee86e28d
-
SHA1
4abcbd17dfd0731031f31f40475dab345ff70b9c
-
SHA256
122f58ee576e218087563b2e7010a2cb0324b1c9eb04946773f0e8c96f90fb45
-
SHA512
47d08df47bd013a0074c8dd062c22145820bec02cdf47b37de237b4eb2c6c7306de96e66355afc4cf0a42e41232b2fa0dc1c46bacaef212787c030fabe9124b0
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhv56:hDXWipuE+K3/SSHgxl56
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM4F8.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEMAC5D.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM318.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEM5908.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation DEMAEC9.exe -
Executes dropped EXE 6 IoCs
pid Process 2316 DEMAC5D.exe 5056 DEM318.exe 4472 DEM5908.exe 848 DEMAEC9.exe 4376 DEM4F8.exe 2168 DEM5AC8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMAC5D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM318.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5908.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEMAEC9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM4F8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DEM5AC8.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2316 1416 27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe 87 PID 1416 wrote to memory of 2316 1416 27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe 87 PID 1416 wrote to memory of 2316 1416 27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe 87 PID 2316 wrote to memory of 5056 2316 DEMAC5D.exe 91 PID 2316 wrote to memory of 5056 2316 DEMAC5D.exe 91 PID 2316 wrote to memory of 5056 2316 DEMAC5D.exe 91 PID 5056 wrote to memory of 4472 5056 DEM318.exe 96 PID 5056 wrote to memory of 4472 5056 DEM318.exe 96 PID 5056 wrote to memory of 4472 5056 DEM318.exe 96 PID 4472 wrote to memory of 848 4472 DEM5908.exe 98 PID 4472 wrote to memory of 848 4472 DEM5908.exe 98 PID 4472 wrote to memory of 848 4472 DEM5908.exe 98 PID 848 wrote to memory of 4376 848 DEMAEC9.exe 100 PID 848 wrote to memory of 4376 848 DEMAEC9.exe 100 PID 848 wrote to memory of 4376 848 DEMAEC9.exe 100 PID 4376 wrote to memory of 2168 4376 DEM4F8.exe 102 PID 4376 wrote to memory of 2168 4376 DEM4F8.exe 102 PID 4376 wrote to memory of 2168 4376 DEM4F8.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27a289531660a32c1cec535bee86e28d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\DEMAC5D.exe"C:\Users\Admin\AppData\Local\Temp\DEMAC5D.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\DEM318.exe"C:\Users\Admin\AppData\Local\Temp\DEM318.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\DEM5908.exe"C:\Users\Admin\AppData\Local\Temp\DEM5908.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\DEMAEC9.exe"C:\Users\Admin\AppData\Local\Temp\DEMAEC9.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\DEM4F8.exe"C:\Users\Admin\AppData\Local\Temp\DEM4F8.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\DEM5AC8.exe"C:\Users\Admin\AppData\Local\Temp\DEM5AC8.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c4e968fbc4c3630cb46808a1576f614f
SHA1e5bcdb6cc544d7778aa8c6569c7788774057e314
SHA256017bec0ceb1cd37710204c55a156c4d7d3a27ca44781827c76650e2d3b0724f4
SHA5123f21495efd73d591c2739ba0a0d7df40089897d3567646196a9360e520be5015e23c582be4cf4368d7dc4fb438e090a43fc30fdb4eb22e378323e2901dfeb95e
-
Filesize
14KB
MD596d9471e4e479b2f8c2525913c8a81f9
SHA102dadb6afee555b886bfc0f3eee42989a55ae8e5
SHA2567e8358a1bb0f9af751420b2e5840d69844d53cb81d140b1c63b471f231eb379a
SHA5127a3fbbc484538f51fbe9b54382b2a68ef7195496588d813eba04f717baaaebdad9c56ea2139bb4cf46479490f3d2be618dc2d752cee9a22cc93e3bd1b19d954a
-
Filesize
14KB
MD5b7ae511c0502297b0d932ebce7de1108
SHA1de97060cbd5d96eef3a053f4361f30142c17f5d1
SHA25656427076fcee4a6be4ca41f92f06728b8ac829c06e709363ec9526d4656da590
SHA512ca8b412f636b129a098c66aac62e0110ae9b0b30967ae0ba9d5b33317353dbea44794439bf3a69c5f1174cd469c3eadec9c3e613d9380882094c9edce83304e5
-
Filesize
14KB
MD584a41ee79bb94269728a6631a70d7804
SHA134ecc0a0ec548f1f9a605c8d0c08c48edf693bb4
SHA256334dd85859aeb4d9f2a00a55f9e4c8e89cedee4236710c7dc7ebb3b9e7d76017
SHA5123fca138100e7736767978fc800cf10d14df77dd72b9adc6089d424625f56f4b54a077ea56daafa79f39e2ea5b009dddcbb63be6db4ae74be8e93d9d023d252c7
-
Filesize
14KB
MD53a96ab5f1f299d4ec3bc13282295aa8b
SHA11e80000584686f379dc4d6eafd70b0dc0353c00c
SHA256645b439ea359f714805848b26caf43725c9ddc3c18fd9b2ce717c703cbe4229d
SHA5124577bcd1f1af12baef6f9123986fdb1a8861a64fce68c2a29ab2d66245b050b1bd50c6058cce886d792dc9400973b959cd17e6c6ebdef35b64da513bafc66cf5
-
Filesize
14KB
MD54a8c65b731b99042708d2e32dce36780
SHA194097ca3dc9e613732b217b516c310edec68ee67
SHA256450ddc752edf7700bf050ab215922af7f7c6150ec933a32877338520ae0562a1
SHA512a3059c549be3bbadccc8e3efb0dee75c0e482e854fa9b7139c4ee2c2aab781e19fc66c88ff5322024ec1e19a63dd8f99d680622638f79cb6ce5afb92bbe7b3c3