Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 10:52
Static task
static1
Behavioral task
behavioral1
Sample
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe
-
Size
3.8MB
-
MD5
2fd4b0ca4c98b737c59da79e1a59f4d0
-
SHA1
5eff241c9499924963e6e8034e4a86946991ba85
-
SHA256
c54f41b90d6cbfa8a8590423642daad2d9804ec8d8cf03a27e2ef4cd1c8b7fbe
-
SHA512
d210736b5e7ad586154651d252d0c0b871073bdeab683ffa618a39db73d9f58e7de1aa8da67457c2acdfce8d99e361ca3e1dd9309da8319f27c5e576446eae0f
-
SSDEEP
98304:/SjSLLHz89pCdxkeQv+LT7trNfnxpApzenk7O:/SFIG+ZhZpA9hq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2112 ~DP7ADD.exe 2536 ~DP7C16.exe 1288 winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DP7ADD.exe" ~DP7ADD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe" winlogon.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral2/files/0x000a000000023b88-13.dat upx behavioral2/memory/2536-20-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/2536-30-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winlogon.exe ~DP7ADD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~DP7ADD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~DP7C16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\MSKRTLR = e80700000a0000000a000000000000001b00000008000000 winlogon.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2112 ~DP7ADD.exe 2112 ~DP7ADD.exe 2112 ~DP7ADD.exe 2112 ~DP7ADD.exe 2112 ~DP7ADD.exe 2112 ~DP7ADD.exe 1288 winlogon.exe 1288 winlogon.exe 1288 winlogon.exe 1288 winlogon.exe 1288 winlogon.exe 1288 winlogon.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2536 ~DP7C16.exe 2536 ~DP7C16.exe 2536 ~DP7C16.exe 2536 ~DP7C16.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1788 wrote to memory of 2112 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 86 PID 1788 wrote to memory of 2112 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 86 PID 1788 wrote to memory of 2112 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 86 PID 1788 wrote to memory of 2536 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 87 PID 1788 wrote to memory of 2536 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 87 PID 1788 wrote to memory of 2536 1788 2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe 87 PID 2112 wrote to memory of 1288 2112 ~DP7ADD.exe 88 PID 2112 wrote to memory of 1288 2112 ~DP7ADD.exe 88 PID 2112 wrote to memory of 1288 2112 ~DP7ADD.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2fd4b0ca4c98b737c59da79e1a59f4d0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\~DP7ADD.exe"C:\Users\Admin\AppData\Local\Temp\~DP7ADD.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\winlogon.exeC:\Windows\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
-
-
C:\Users\Admin\AppData\Local\Temp\~DP7C16.exe"C:\Users\Admin\AppData\Local\Temp\~DP7C16.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD57de4d379ef630e064788ebd8f7a62fca
SHA184e672f7bf9224a0f52518c93226c027a2465b25
SHA256152958ed713f7f7b2bf5e49165425c87a867c8d23c7ca874e5a6e0a629436395
SHA512b60c420d143853b0b1bcc63e235f3c6018b8db77cb2b709fa0faffe7b31640a51c842b9fd797511eb19dde0bbd7b0e91cdda908026ae520be64da6184cb2fbbb
-
Filesize
3.6MB
MD502179af0725062fada76dc9f2f58e629
SHA164c92392e72ffb3740081a96983966e8ef52c84a
SHA25682133b9c92dc054457669d645e380483bb3a12b7d5d36d37b2efe570ff25a41e
SHA5125f70cfa32388f322bee038892a88fa20b2e7d1e0c80cd8300417e8c104ca28408845d4142129b9035e0bc9f26568a450712ef0c3170837c850c6f9ee8dcc18d7