Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2024, 22:24
Behavioral task
behavioral1
Sample
5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
-
Size
403KB
-
MD5
5ef7fe7f1e794a83d76bc115089c24d1
-
SHA1
2f8b9d2f4fbfb95bf08ef18dfdfeb0226581e2e2
-
SHA256
7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0
-
SHA512
691777ea80ccb68833dda181b3367ab512026361304f759c82402dfe5fdfd328396c97f45592280609c28c64b4235c497bb4e00a57051088cde82d49454dc8f4
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnO4
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation izteo.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation mirees.exe -
Executes dropped EXE 3 IoCs
pid Process 1940 izteo.exe 2848 mirees.exe 2096 ipsaa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izteo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mirees.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipsaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe 2096 ipsaa.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1940 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 84 PID 4744 wrote to memory of 1940 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 84 PID 4744 wrote to memory of 1940 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 84 PID 4744 wrote to memory of 2452 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 85 PID 4744 wrote to memory of 2452 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 85 PID 4744 wrote to memory of 2452 4744 5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe 85 PID 1940 wrote to memory of 2848 1940 izteo.exe 87 PID 1940 wrote to memory of 2848 1940 izteo.exe 87 PID 1940 wrote to memory of 2848 1940 izteo.exe 87 PID 2848 wrote to memory of 2096 2848 mirees.exe 104 PID 2848 wrote to memory of 2096 2848 mirees.exe 104 PID 2848 wrote to memory of 2096 2848 mirees.exe 104 PID 2848 wrote to memory of 3428 2848 mirees.exe 105 PID 2848 wrote to memory of 3428 2848 mirees.exe 105 PID 2848 wrote to memory of 3428 2848 mirees.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\izteo.exe"C:\Users\Admin\AppData\Local\Temp\izteo.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\mirees.exe"C:\Users\Admin\AppData\Local\Temp\mirees.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\ipsaa.exe"C:\Users\Admin\AppData\Local\Temp\ipsaa.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5c6d5dbab34642da755cd10dcfba31dd4
SHA170a4f4c846761b1d4af5d6fcfc4b8e3f47d9a947
SHA256e7a45c94b719920e885bf84875fad23c6a534a2afdd22c8f7c4c6b33fdbad836
SHA51254d391e2bbd84d1ffd7256918f6851f9edb2c806f6edbeb2546e2becb958901effb4197213d8236e3a92c0b7605503c9e91e6cf6ca7d021518d98270fa672229
-
Filesize
224B
MD50326d90e6cc35606a56aa9b2b2b8df21
SHA1bfc39bcb8c723a2904775858be8258d75f3dba58
SHA256b15e7f94c8fe470c6d488a005116a4af0472b49f64da868269565ce3fb649a99
SHA5120733abeff7af9f40774f6037e3e3e5d71643544ea7298d264287fd8015cb1725fd65b48e19a0c28114d3c875af4540583c67c57690c59998e7ef7a65f5bab337
-
Filesize
512B
MD54fffa14afb04fbb1b46a356d2d78b8e4
SHA1e35925e7bbfbde6818a082fcb6a5c34cfc3bf462
SHA2569743f553186481c87194d25acb0fc285df06a747c870c1dc8746d797d8a856ae
SHA512ecef19424320608bd71773d4ea4a8857dbc9407db3b6ee6d39ddc9c95ccf703089b545d3810a5f7bc24ff42b03d4404514ee4d7b575af9560f27dcf1fa12e059
-
Filesize
223KB
MD5c7623dc0314e21ad22b4540f27650127
SHA1f84d3914f4c1637f0e58270f952aa63dd174c329
SHA256411f6cbd9aa967f0c164537a93383ac6e95f2f8df2d9b7635e1f91d57d1e6181
SHA512f2eecc582176c49e15826f15c893ea45daa7642efe78b9d31ef4e1dc36059782ae9b152d706af769f6f5fecef6a0ddcfbdbb3d1bbe3c20ea664c50d219540030
-
Filesize
403KB
MD55c49163b50d5f8d9b62689cde5e31939
SHA1103afcd34f0acbb07671bf39b05ce96dc864751d
SHA25668550b8b7a5f67ab4fdd01bf91b3d7cdd20f04a04602deeaa3e6710abb1a58e7
SHA5121db0cd2482da31aa990a423648f4ae93225029f3f977c46d59092109878256d91af8b2d2bee023636bbb42005a2c4751de5b13d3f7befcd06d9ebe4495080b35
-
Filesize
403KB
MD517b4f794b3c4ccdb4fe5bb0e277e1f48
SHA1c5c86ad2761ac5dc13613baa1aac73d6215dcbe4
SHA256f83faf51288f124485ddd9488f5b4637db4b6e7207db4c09e3bd83bad08de3f5
SHA512efbe8ce63edd177045937e96bd3c328d73815449d232841c152624271515b592e2b0bd737f782b2cf4ab6a4b54b90b5118fe8338f6cca7c97de115ad9568b008