Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:23
Behavioral task
behavioral1
Sample
2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe
-
Size
227KB
-
MD5
2d26ff8c55b926673524852520e77a4e
-
SHA1
7baefc1d929ecef7a9063775be4576fcf4d9cdc0
-
SHA256
3e2a192d497afd016d0ca3e7bbb6b319ae1a88be89f60a4f3411d6243ddceb36
-
SHA512
5e6ee837ff1ea3290562c8673f45787f88bb813614c77dfe39929746a7a26ffabbdc0f2697ed65435cbc8ad19b4e89acb610a0e8eb036eb1d342272425e6e01f
-
SSDEEP
6144:dfOpM5uMf/j/lSCq0wWCBY5y3aiAGWd573slDD0Ig:dmpM5t3nFCBY5dikLsVE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ins4532.exe -
Executes dropped EXE 2 IoCs
pid Process 4028 ins4532.exe 5064 ins.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini ins.exe File created C:\Windows\assembly\Desktop.ini ins.exe -
resource yara_rule behavioral2/memory/1800-0-0x0000000000230000-0x000000000028D000-memory.dmp upx behavioral2/memory/1800-31-0x0000000000230000-0x000000000028D000-memory.dmp upx behavioral2/memory/1800-38-0x0000000000230000-0x000000000028D000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly ins.exe File created C:\Windows\assembly\Desktop.ini ins.exe File opened for modification C:\Windows\assembly\Desktop.ini ins.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ins.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5064 ins.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5064 ins.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5064 ins.exe 5064 ins.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1800 wrote to memory of 4028 1800 2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe 85 PID 1800 wrote to memory of 4028 1800 2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe 85 PID 4028 wrote to memory of 5064 4028 ins4532.exe 88 PID 4028 wrote to memory of 5064 4028 ins4532.exe 88 PID 4028 wrote to memory of 5064 4028 ins4532.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d26ff8c55b926673524852520e77a4e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe"C:\Users\Admin\AppData\Local\Temp\ins4532\ins4532.exe" ins.exe /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe"C:\Users\Admin\AppData\Local\Temp\ins4532\ins.exe" /e5682653 /u5062d47f-b8cc-411a-9555-12ab5bc06f2f3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5473b7bc5d6fd58f3c86a29ff64035bad
SHA169a8bbb0ed0be2f66459030ccb77a6f8307d46f9
SHA256107d940514fcd5cfe2e62d4e23357dd2eeef7543b082a4b959e11569aaf180b1
SHA5122cb5c110c8e4aba59f3c6bed7b6dc4a4624538d906ad18be72e687f695ef825aad117457eab895c01295878dfe25e1b6b0ed25de29c6f1558e20ed6be3411d25
-
Filesize
138KB
MD59543c7e436381a7853e8182a35152e38
SHA13e828372157a880edde5e5621a7888900d686d76
SHA2561628a5b49145659ebddd692829fd2c067569452f85769ef831376b8bb36c6c26
SHA512cd82be11ffa1c17eb95a110741ba1199b38da11aaf13a40dd7c9de8ec4fa7a56a48e718cd1a30cd4fa47000a757e62c0fff4285c0b0af21460b3ea986b1951e4