Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 19:25
Behavioral task
behavioral1
Sample
3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
3baef362d7ca8f9798d3964414fef351
-
SHA1
cb137fef7524614d72c50b2de4c6ef6152c6253a
-
SHA256
63604b50c997ceacc7b689e8fa79d91fbe2e2b6adf76601f0f6dff6fdc8bb169
-
SHA512
dc0961eca22bda7eaa4452d5472b7576e9548059d00fced70cc4e2cabfef0ad55f598bcd16c0439e8b2a7091faba4ba74f4bf9674b0a39814dcbad2dbb8ca5e5
-
SSDEEP
24576:muj/VEaecgvjdcR2ARF9AjORbomMQzuYbMTSsEPwFq91B2VXvvG:mKVEae5bda28F9AORbEQ6Yb0Sscww
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1816-0-0x0000000000400000-0x000000000086A000-memory.dmp upx behavioral2/files/0x000c000000023b23-12.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 4836 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83 PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83 PID 1816 wrote to memory of 4836 1816 3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3baef362d7ca8f9798d3964414fef351_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:4836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD550fd18c44386ce23e95afa70fb50ebe7
SHA18a4fa2eb22c83462a59855b25da7cffe5b482fa5
SHA2562736e90b5ad4fc75a91b3eade2348c981bcad40a3e96747d9a22001a02254597
SHA512ae5ff87ea4f0f899bf6224f4db3db6e818a904f40be08fb61fcdcbabf7e0191dc0f867c8fbc31e9fab69187c8dbec7f84a46933f741d29e5eabe195640d6c5f6