Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 05:16
Behavioral task
behavioral1
Sample
JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe
-
Size
14KB
-
MD5
02409623cdca86f694e239dc88df9db5
-
SHA1
a8988272a3fda0857f02c8c26d67321f02684c39
-
SHA256
942a3d1e7e46c905ccc067ab07af7868d5e3d6ffcfcdae812c9c020df4e30741
-
SHA512
19f19b6c68da307ddec577c9cec1b429ff3beb75bf3749933a0d23da60345953287ba28d94cd760bbb0066d1c20e817abf744631ae2b965b911e66e489f34e2f
-
SSDEEP
192:nmNvID1+vPOd8+SjYFrAYf0xQmibcmoSk50re1IokWKDTlKDzSdzWM:SA5wZ+nUT0Yb5EeVKDTlKDzk
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe -
Executes dropped EXE 1 IoCs
pid Process 4324 fonz03.exe -
resource yara_rule behavioral2/memory/2936-0-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral2/memory/2936-10-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4516 4324 WerFault.exe 82 920 4324 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fonz03.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2936 wrote to memory of 4324 2936 JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe 82 PID 2936 wrote to memory of 4324 2936 JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe 82 PID 2936 wrote to memory of 4324 2936 JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02409623cdca86f694e239dc88df9db5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\fonz03.exe"C:\fonz03.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2683⤵
- Program crash
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 2763⤵
- Program crash
PID:920
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4324 -ip 43241⤵PID:404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4324 -ip 43241⤵PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5502840d95b727c2965c49ba0c25d2d75
SHA1499ebd00cf184e814dec2d946ad137c4b6f6144b
SHA2564e3c1b1681005cfbb42b637b388241b0fe5f2db50cd8698a7ffd8692a99a309c
SHA51266928c262002bfecd1d68c6740ffffdc30c4efb4dda39ccf8a537260522e77377482e9867dc8efd66e86c47bddd62665dcb6763bf502d07fe868aa9030350a37