Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
-
Size
176KB
-
MD5
60eb23fca4d131d362b8e39c0325bb00
-
SHA1
ef3519f410b08480d2f8be81717a973cbf2826af
-
SHA256
d1ec457eab6fdee6069a68b7254d285da85b58aac62202900daf8f9622be09f4
-
SHA512
8f0e4d46385035921c19a55b07b0d987fd268a0f2ce0b5a8ab7584dd3bf82d5ba961d38a21ed2dd562ef0a4ccab938ba3be0c40bef0651563568a6b444012854
-
SSDEEP
3072:5APazUfD8iJDZnxrYudpi78EfkE10q/pMIi9x:5+D8ivxpg7V110MWhz
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5068 JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe -
resource yara_rule behavioral2/files/0x000c000000023b10-3.dat upx behavioral2/memory/5068-4-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral2/memory/5068-9-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3592 5068 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2416 JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2416 wrote to memory of 5068 2416 JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe 82 PID 2416 wrote to memory of 5068 2416 JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe 82 PID 2416 wrote to memory of 5068 2416 JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2643⤵
- Program crash
PID:3592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 50681⤵PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD563caaedd9675796966020d2fd7ac9f3a
SHA12966ab246e9c8d926f61c91a7e5dd80e7798d7e6
SHA256a5a5d6ead6799377d947f0d77be21b1d79ca54fda2aa0ed2e1eccb14bd4d465b
SHA5124e811df6f0b890e462e203c07597486728f2342d9f5230509be681231844a59db0ab1411e5e8b382da60eeee16c9dddc7a1199e2d37335f86891db4549cc247d