Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe
-
Size
368KB
-
MD5
30252ad68194a240a0687b15c12f69c7
-
SHA1
8e8ecd4c929d87605eee5f3fa178024bb30d13da
-
SHA256
dd93f62a5686560cd10e1fd8fda31fd839352ab73831637591eb73be8cf57884
-
SHA512
8d3923926a830e084c1671ba69a63f4becc271506f68571548e21405f85a90acc642f6785033c9f80b39b5ea72df6556d03aad85e33aabef6c49130f690e0e3e
-
SSDEEP
6144:/NEBnVTn7nd1jZqLoP12yR1/vhSUXl9uBj486mHhsf2+XVDHNsdeU0JikNfsGTBO:/Inln3ZmqH5Fvg48Bsf2EHNsd10JisRw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1440 QQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1440 set thread context of 2256 1440 QQ.exe 87 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\QQ.exe 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe File opened for modification C:\Windows\QQ.exe 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QQ.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2256 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2256 1440 QQ.exe 87 PID 1440 wrote to memory of 2256 1440 QQ.exe 87 PID 1440 wrote to memory of 2256 1440 QQ.exe 87 PID 1440 wrote to memory of 2256 1440 QQ.exe 87 PID 1440 wrote to memory of 2256 1440 QQ.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30252ad68194a240a0687b15c12f69c7_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1508
-
C:\Windows\QQ.exeC:\Windows\QQ.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" 647972⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD530252ad68194a240a0687b15c12f69c7
SHA18e8ecd4c929d87605eee5f3fa178024bb30d13da
SHA256dd93f62a5686560cd10e1fd8fda31fd839352ab73831637591eb73be8cf57884
SHA5128d3923926a830e084c1671ba69a63f4becc271506f68571548e21405f85a90acc642f6785033c9f80b39b5ea72df6556d03aad85e33aabef6c49130f690e0e3e