Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 03:02
Behavioral task
behavioral1
Sample
600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
-
Size
556KB
-
MD5
600b82e86ebd5721f4e5e434646418ea
-
SHA1
07f0d32fb7576ec92d16e3140dcebed68adf87f1
-
SHA256
6446734456c209df3cf8a4f10279a8d33d6ae60d11bc03636891e7c63febfa78
-
SHA512
cc55040fda4ecca23bc342cea09c453f99f29ac7297d7790fdc34d9dc2038d5a1aadbcf5c5e64b864bb402c6850b5862d8b3de73f291533589a33cb50434f0bf
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyJ:znPfQp9L3olqFJ
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation yjcuq.exe -
Executes dropped EXE 2 IoCs
pid Process 2496 yjcuq.exe 5112 ivlui.exe -
resource yara_rule behavioral2/memory/2408-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/files/0x0008000000023cd9-6.dat upx behavioral2/memory/2408-13-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/2496-16-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/2496-27-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yjcuq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivlui.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe 5112 ivlui.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2496 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 90 PID 2408 wrote to memory of 2496 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 90 PID 2408 wrote to memory of 2496 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 90 PID 2408 wrote to memory of 4808 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 91 PID 2408 wrote to memory of 4808 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 91 PID 2408 wrote to memory of 4808 2408 600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe 91 PID 2496 wrote to memory of 5112 2496 yjcuq.exe 107 PID 2496 wrote to memory of 5112 2496 yjcuq.exe 107 PID 2496 wrote to memory of 5112 2496 yjcuq.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\yjcuq.exe"C:\Users\Admin\AppData\Local\Temp\yjcuq.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\ivlui.exe"C:\Users\Admin\AppData\Local\Temp\ivlui.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5bca236b12ef4f6a80c846200c6a1045c
SHA1d450c387b4bae9f9423dc87a9103f20eaa02e95a
SHA2561dd58590f30a33051417aaedfca447aa552750af982e363f4736edf3e6a1d89b
SHA512df4d19c78aa2420731557ea2e316f9dd012d6d959a679869ec72d0dcbf50ce3bba6e940f130ce184535eb1ad99a3a1eabb63b9df2dd6bf6335357b2ded54bc60
-
Filesize
512B
MD5ed4019d88e487bb0c0424de15ed0123c
SHA10dd411316c53a9e16a86123681b83abd00beaf7a
SHA2560d3c2b7df2df63ab9f5a18ac633967dd23b8e44c86ebbfa5c4f894bdac2fc3cf
SHA51244e462fc55870024be641dbc5559cf1c7d94dc75f053dc589d060cd7e733630df442090831c6b2869c1c47c37c9e4f90c7f9777a23df543d0092322b31ab1dfe
-
Filesize
194KB
MD52387592f279ac2e9a77a83be09243e04
SHA1178c43d48e850680254798557079418b9eda83cd
SHA256b4135cef37ae5b77ef9f29424083bfa613e05c2724fd89b22a41612f3a047b45
SHA5120622bc51ddc7ad4f4f001106fe079101b7a54e7a5a7b57cf6db4dc5d752ab9aeb05fac5bb7bc72a7a160ff6ae57e495cbf97581cb05cf7d1270c9ddec3f54476
-
Filesize
556KB
MD542698b22e8901e6aff1a2503804a360e
SHA1cd5b8f7108c5e2ebac809d5ec0a79a5aea149b48
SHA256891d43f979931e694be49e2e7618265f750f0a8294684f2d47a5b6d323ad5edf
SHA512968ead06354b6a394fa56b1c3eb52a3666611db1456e12b66cf123acaee2d7cfff72b0c70196852e7c0d8ff544a54977dc1d7629c2d5af2701b55a4d06e2f07a