Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe
-
Size
300KB
-
MD5
59e68fa87672d612f5386cfca9974787
-
SHA1
0832c50ea5abc5742a1c3ac80af775a6ab9d87a7
-
SHA256
76761f2c00a4f0bf44f9f016d7169596d260bce0e68652fe9dcebb101a79c327
-
SHA512
beeeb0dcdb5dc67991ea95a2443899d19c592149db2a86ce07f2e440fe480002b04d5934bab2f3f716111d68f9db63614a4f5fe9a332ee692a05a6dc85cb2894
-
SSDEEP
6144:Ce/kqF3Q6nLJI/ohzLw1I/u1tHxgIh5nQCrOOOkoy:Ce/zFlLJI/o5U1Im3pHQCaOOfy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 920 JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4676 920 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 756 wrote to memory of 920 756 JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe 82 PID 756 wrote to memory of 920 756 JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe 82 PID 756 wrote to memory of 920 756 JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59e68fa87672d612f5386cfca9974787mgr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 3843⤵
- Program crash
PID:4676
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 920 -ip 9201⤵PID:4060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD572864b90643b2ff7a3e4c06b03ad2ce7
SHA152f60736728362514dec7880f67009408bf744da
SHA256c0dc483d5d52f102a46125ba7b79757cf535aaf6075ff1bf0b255243d0b88c43
SHA512b6f2abb30dedc588601324a203f348f453443a28de2a82b16ae175621471126680bf239e502e5c4f848955a6031e211976a3aa24eaa9e1e56b06c30916a23bf2