Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 21:07
Behavioral task
behavioral1
Sample
4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
-
Size
329KB
-
MD5
4ab5a7a21ee8943b1e78513e20dc25f0
-
SHA1
b80f2bfcd47e38d520f88263907080282ec64dd5
-
SHA256
4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c
-
SHA512
c520d80b17352b582418b35a0e3efd4b35a835b771517ae3e3c91a5b2c332bf5b21af8ae7b9ce665692b15f47b6476a1c1a0318e95ac987c1543ea9ee77a32e7
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisB:Nd7rpL43btmQ58Z27zw39gY2FeZhp
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
resource yara_rule behavioral2/files/0x000c000000023b88-32.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation mocuc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation hoozyt.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2508 mocuc.exe 4336 hoozyt.exe 3720 etwir.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mocuc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hoozyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etwir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe 3720 etwir.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 952 wrote to memory of 2508 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 84 PID 952 wrote to memory of 2508 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 84 PID 952 wrote to memory of 2508 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 84 PID 952 wrote to memory of 4992 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 85 PID 952 wrote to memory of 4992 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 85 PID 952 wrote to memory of 4992 952 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 85 PID 2508 wrote to memory of 4336 2508 mocuc.exe 87 PID 2508 wrote to memory of 4336 2508 mocuc.exe 87 PID 2508 wrote to memory of 4336 2508 mocuc.exe 87 PID 4336 wrote to memory of 3720 4336 hoozyt.exe 103 PID 4336 wrote to memory of 3720 4336 hoozyt.exe 103 PID 4336 wrote to memory of 3720 4336 hoozyt.exe 103 PID 4336 wrote to memory of 1320 4336 hoozyt.exe 104 PID 4336 wrote to memory of 1320 4336 hoozyt.exe 104 PID 4336 wrote to memory of 1320 4336 hoozyt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\mocuc.exe"C:\Users\Admin\AppData\Local\Temp\mocuc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\hoozyt.exe"C:\Users\Admin\AppData\Local\Temp\hoozyt.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\etwir.exe"C:\Users\Admin\AppData\Local\Temp\etwir.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5e65262878a5b9eef64d14cfdedda0f5c
SHA1b8d0f837306f25fd401065434a8b8d874eec66dc
SHA256518ac386ba6b3e18737d5301e2c3ab7683ced914ebeca1e89d5e603706851af9
SHA5124292f01eed8cc90f8d12a7b0b712cc0d77d5114e726ec6cca359766f3838325c9c54e5498c132e19fe9ddf3fe1fc061a3162df82edc44b4f7c6be1fd3b118fda
-
Filesize
224B
MD5511763ca28d96900c83a03d2d196be86
SHA150fce04d5363535e35fc036a10071aad423df427
SHA256355d7fe1809e8bc0588872149aca4a59bb95fa1e263649cbaa79edcc520a5550
SHA5122decda6e17620a686e3c364e4d30e18199ae518f37fe3a1288c33f3cf496d9000e997d7a4d6d2d9bde5f9968745cca3f5d62f51c9c67411b1b70d9f9dd39eebf
-
Filesize
136KB
MD5617902665a3c136ad9f258b5c93c8853
SHA1f25e09c83833c7c2d1b79f25434fdebd9e683b5d
SHA256277cc8b93a107e26ed5c0ed2af2254c289e5c073686ad36c0184050bde178a52
SHA512db10f91087e76ba212bafbaf131667efd9d0f9e97394209dc20a0d4a875d10002ac52f51510af4fbca4e9b3fe1c7f8b5341561d2e584b6e07779a546fc597e11
-
Filesize
512B
MD5a81ea5acc41985057409b0c8c481c5d3
SHA1740d493948dbbe4defdbc5906bf708e0c403cd19
SHA256989c1a5fe7eb8ab7205740174352f619ec732f65f00a5335841c41cf066ba264
SHA51294cc6cf19ddcc83b6e8dd6d124c46f89b148b83adc4b62d7a853a75fb8ac507e8a1f3322b3cd17559333186d04e7b6bb93232da72e58d9e6e6ea02b76b5e68eb
-
Filesize
329KB
MD5a5b7415c64b1d9a5efc398f5fc563b4a
SHA1f05f64a21fe8037141aa44d58ec73105d02f8cbf
SHA25678e0e5d8e25cc4b4b90006d6d56fdcac73e5dc377a241adee2e0de917e33f205
SHA512c6f48bd2eca885be875c7249826dd3990a2cae3a24cfded6ee62538075ded3a79de34689b5c9643ecf22ef23b6b2b290d29a91ea8b606eaba111e94f8ad9f06d