Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/01/2025, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_61fdf49099469563aa4442c198855baf.exe
-
Size
1.1MB
-
MD5
61fdf49099469563aa4442c198855baf
-
SHA1
6a9965e6691ed6132dd968e2a1ff08e8594eb672
-
SHA256
1b381d766da86aa6b98f53bc3006658909538ee3314f6b713fbec64a266c1623
-
SHA512
a33badc4a7187178dd2609456746951a6347fc26431d4e5ed36cec98d0842f7c1a998e2c4096f947f1deadc364a92702fcd6f410b0882fda55d658efa8b7a78f
-
SSDEEP
24576:fafGiYtto6oCfd0+X7Q3CiTApWsN1X7Q7Fsx2k2Y:U0pZRHWsL7Us8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation JaffaCakes118_61fdf49099469563aa4442c198855baf.exe -
Executes dropped EXE 1 IoCs
pid Process 2404 server23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1472 2404 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server23.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 224 wrote to memory of 2404 224 JaffaCakes118_61fdf49099469563aa4442c198855baf.exe 83 PID 224 wrote to memory of 2404 224 JaffaCakes118_61fdf49099469563aa4442c198855baf.exe 83 PID 224 wrote to memory of 2404 224 JaffaCakes118_61fdf49099469563aa4442c198855baf.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61fdf49099469563aa4442c198855baf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\server23.exe"C:\Users\Admin\AppData\Local\Temp\server23.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 5883⤵
- Program crash
PID:1472
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 24041⤵PID:1108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
857KB
MD5f0e57400ba0ced7def4487e8ec031315
SHA16d301d92f785f5720bd768317387598da1d0b42e
SHA256168ad4c18dc7a3d6e8f9f8a7b3370c4de641df217280e868c450074ad042c3ed
SHA5125466c9fc3059360d346a9ea093375e88602d98a29b4a54b27ffb1d286db4d5e8da563336a26b44988740f313c87dc27e445104f9fa87ea52a2906ff0b75047ac