Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:22
Behavioral task
behavioral1
Sample
763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe
-
Size
208KB
-
MD5
763d06f09c646c995c9ded35754f35e1
-
SHA1
5b3ee41d3d354468f34bbc0b74931c642aa64321
-
SHA256
64d12b6ed1fc65eaaf9410903955668bfa6fd6ae699dcabc6e9cad74ffb42c1d
-
SHA512
296dfb3805758fdc5dbc1d33f14c2a65ae7e0a4f3ced1e388dcd630c72af570c10ac0b8b77147049a603577acfa7560446fa43fef17be750f8f85e825f524aa8
-
SSDEEP
6144:v5hPwKr+MAPdJREOmr9H0j0AXY2vajGm:fPwKr+9dTYUj/CjG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.lnk 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1088 msftdm.exe 980 msftdm32.exe -
Loads dropped DLL 12 IoCs
pid Process 1088 msftdm.exe 980 msftdm32.exe 1088 msftdm.exe 1088 msftdm.exe 1088 msftdm.exe 1088 msftdm.exe 980 msftdm32.exe 980 msftdm32.exe 980 msftdm32.exe 980 msftdm32.exe 1088 msftdm.exe 1088 msftdm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3880-0-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral2/memory/3880-97-0x0000000000400000-0x0000000000489000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msftdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msftdm32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3880 wrote to memory of 1088 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 84 PID 3880 wrote to memory of 1088 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 84 PID 3880 wrote to memory of 1088 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 84 PID 3880 wrote to memory of 980 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 85 PID 3880 wrote to memory of 980 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 85 PID 3880 wrote to memory of 980 3880 763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\763d06f09c646c995c9ded35754f35e1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe"C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1088
-
-
C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe"C:\Users\Admin\AppData\Roaming\Adobe\MSCRTV~1\msftdm32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
669B
MD585c353915f5aa8894943ba9724a56946
SHA1a2ac3dd29c9dcdaf7ef748ac42f6e00a699a8aaf
SHA2562a8932976e5b6fbe3cde6d4db4c5ee335702412fc907c3fb4d83f1ddf753bd30
SHA51296d14e46949d1b9bf2b4cb49809b96b99d598bc3c75fe0b159ee544a2b835a49cda9e756b034159767572bf9ab22c3cd78e2e354d2ab578fe1523a8dbaffe955
-
Filesize
53KB
MD5ccab25c4f6a2411e649f41a654fb732a
SHA1f0fa67afbfeba2fcfba4cbf378456e9563ed5e5b
SHA2567d21310e49648c311d150f233b3f8b577a39705228c12b6c01cc5e770bdbeb76
SHA512353d0196e47c963f62420df99c75a40bcf4db374386bf676edbc990d8c5cb16b74318aefacd9085e9fd860dded035350085f7efea3772b326a6a9867dfba641c
-
Filesize
2KB
MD51ba9eb7cdab7a589ebbe6d720ae3c187
SHA155555de0a07d43a23c4fff84bd4613b9b3c3c104
SHA2562dee3d4a62c04eb8dd0e30dc4ef3eb51dc80e72422d383b44a363ae939d64eea
SHA512374a9d844365b1b1d855f83616c9e2d3cc3b9edaef5428af8022845a2679b38483e9249c686fe5f508a60124cc6fad2fbbf23eab60bd2e492b8366799ad60e74
-
Filesize
45KB
MD56a08aa55a1b999b583bdedd896cf6f7e
SHA11c66b481049cd30967e837b0d1b5a04421ad97a0
SHA256a6b19efc6fc9aa7e8cf722f20fd4e1a40780af255310617c34f9e2dba6efde6b
SHA512c161885bb5c301c986b3d45112cd74b69ea1bb424ff97a5798717e4e506b2d08ca5b993c20e79cb74cb00f2c5d76198b25424b7d15fade3dccaeb30096a383de
-
Filesize
29KB
MD5ee693e9883f032df2849150b5279a21b
SHA17f5675e4c9383134fd495aa870d8a4567ae2ce6e
SHA256fee1bd9f37e1925045425e48d97f215b1786b9bf2b11006ddedffc68c753fea4
SHA51211378bf51357bbafbe3479974c4809a051f7cdb7877c00f7de523959160eb4235530037e9624e34434ab6d4e8f982768bea56dc3749c83ffd7fc7c6d2a9e6ab4
-
Filesize
24B
MD5e21f42c8e892bcb102b45fd92ae946f2
SHA1018c9f80a4f603c12e0f7014fa8c77116434ba09
SHA2561df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9
SHA512130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1
-
Filesize
15KB
MD5aaa500a9062eef90ef54a10b47dd38c0
SHA15aeb7d00518f9598ace234b9c0ce0ef859adccac
SHA256089ed7d7301d5cf8c424d14f766e8a3eec38825eb757b498cc10a752c80d0092
SHA51266884cfbbe637097bd5cdb52c678c78456e41664ac0bc491acb67fbdd48f09cfe5c8c124d5e5232cb80178b018d6199bf9be163f0eab9580ad6a9858d9f42a19
-
Filesize
18KB
MD547a1410f93552cb860134f63e7f08bbd
SHA105d13a592f4649af3a5f3a9f13cb686a5f29506a
SHA2560dcd59b53093f87990eb9385f272a5d75fdc5b9517d62f5ca303c4ff8484ae6d
SHA5122b18f2890e7690d0fe67c3d6f5962f5081bdc4ffa02e01e07050f061ed551dc54a2aceb52a4200c9f70bdc286c2f2d80c0b071e772952015bb4ee8d0cc6e2f18
-
Filesize
88KB
MD5431281eb6636a49003c134ad75038139
SHA107a74b28bdc347e6936031a5d6f0ddff97c3cc50
SHA256cbc61c7335c477fa72e5aba70de44ea0df37625372724332c377196af1c083dd
SHA5121dedf42c0de7eb8cb9f5c6d425358ced05e37dded947c20a9996b32f6cec6753b08cec73413fc134ba7d282dbc60afb3136b20c96bcbf26a14b7717d591e2bc6
-
Filesize
58KB
MD5c617801ca4bb75ea00da0cc9af86a20b
SHA1bdc45e976f7f553ebab954549a63def00d65b302
SHA256c3be7740c2f338688bf7040aa1390e275e1c087b0c3dda843d02eab528572da8
SHA5125c4f0c3331201728f05185b556d144128f7e84be72fb24e6553e33ac9e0a987575f2d263d710796f8076c363904ea5ed197891ce07d1efb9cef0cc125f1cfb1f
-
Filesize
728B
MD5f14e8a5674b6b212acb364f5d369bd37
SHA12180ebde3057be76b5606b10bcdba93a29f83898
SHA2568af5010ec5b76b49abffcdc92d131a5963f9d7aae3a427b4347cd545fb1073e8
SHA512521f1e5d5f7496ebc93b89e63a5ec32c148aa22dc2a1a450d43cc881487fab2acafe854f102ce016a5db3f06b37baa7821b38ed9ddac99e64939794820fbf965
-
Filesize
105KB
MD5520004f34edca4a74fc5c3e9d6de36e1
SHA1f799710dcf35d30245f2d4ffc621fc8058f045b4
SHA25657de9ecfcfed78b7e52e41c7314d8dfc61976adb51c83478b16405c3d79b9557
SHA512f3071ef6391222c6689c966051d4d108c2eb56a598d77313b0b1d912d87e3f67709896f735e6928ebc823214c48e551c1fea3aef8e8bb5361785e6f32b11c43f
-
Filesize
37KB
MD52506cecf663b4a961c65a9d7e9ef795a
SHA16262efdd2eba424474f6c2aac20913b3e588aaab
SHA256baa21cee7ec40eb612ab70ef6d801cbb1645f9da9c827bf0d59d2e65d5646b52
SHA512f97c35653d03ceb134ff34a912f7a8ca71e67e35a623ebe8f7470d4fd13e0df54ae5c617e23f15354de43f3a2ac762f57a42fb882f1204b0633b2d5fb91cb570