Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe
-
Size
398KB
-
MD5
2b7eb734363ad47b73fcfeb5d7e7ec5a
-
SHA1
54dc5409a06798848413f263486316e8947ed657
-
SHA256
3a37b8cf55a83dd9fab4550f6a83522a4995dd365112c651c9cfd700ec9cbb06
-
SHA512
a9879489976c4657f8900e61309a5ada953487d44ebc25b9d50a7b428c452f3533a4dac26d7432eb069bbb9f7cfc1ba12fa0f986c378e24932a7df37ef51bf01
-
SSDEEP
6144:+fGIZnKPiSiEQaJOTACiPjctDWgBBTcsV09Jb3PtDqJL65BOOhxxdeTr/ekI:OKPi9EQa4wPjeKgDov9l3CL67zxd6L
Malware Config
Extracted
gcleaner
gcl-page.biz
194.145.227.161
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 5 IoCs
resource yara_rule behavioral2/memory/1360-2-0x0000000000660000-0x00000000006A8000-memory.dmp family_onlylogger behavioral2/memory/1360-3-0x0000000000400000-0x000000000044B000-memory.dmp family_onlylogger behavioral2/memory/1360-6-0x0000000000400000-0x000000000044B000-memory.dmp family_onlylogger behavioral2/memory/1360-5-0x0000000000660000-0x00000000006A8000-memory.dmp family_onlylogger behavioral2/memory/1360-4-0x0000000000400000-0x0000000000470000-memory.dmp family_onlylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 684 1360 WerFault.exe 81 4820 1360 WerFault.exe 81 1116 1360 WerFault.exe 81 4620 1360 WerFault.exe 81 2012 1360 WerFault.exe 81 312 1360 WerFault.exe 81 3076 1360 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 5076 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5076 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4508 1360 2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe 99 PID 1360 wrote to memory of 4508 1360 2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe 99 PID 1360 wrote to memory of 4508 1360 2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe 99 PID 4508 wrote to memory of 5076 4508 cmd.exe 102 PID 4508 wrote to memory of 5076 4508 cmd.exe 102 PID 4508 wrote to memory of 5076 4508 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 6882⤵
- Program crash
PID:684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 7922⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 8002⤵
- Program crash
PID:1116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 8002⤵
- Program crash
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 8002⤵
- Program crash
PID:2012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 9642⤵
- Program crash
PID:312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2b7eb734363ad47b73fcfeb5d7e7ec5a_JaffaCakes118.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 9722⤵
- Program crash
PID:3076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1360 -ip 13601⤵PID:4716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1360 -ip 13601⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1360 -ip 13601⤵PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1360 -ip 13601⤵PID:3476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1360 -ip 13601⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1360 -ip 13601⤵PID:840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1360 -ip 13601⤵PID:3200