Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:58

General

  • Target

    e36143b7009ac558b03688cfbae5eac4_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    e36143b7009ac558b03688cfbae5eac4

  • SHA1

    5a027d47f18c5158bc8751591d19eaba24b567d4

  • SHA256

    84d342289ad46514f784b0db180bb3d0fa70bda9cc79a91db35174cd1165a347

  • SHA512

    0644e8991384db2cedaf2fe6d5cbd46f90cb43a7a74d6f77818101700c80ae000c03e770538e8966fe2ad4b15f4776236b3f9140828fcb4d8ce1ab33f6ff72b6

  • SSDEEP

    6144:x+AcyrimEU/EztV++Jbtd4lfn8hFXbTom85FMnH:xNNrimr/EztV++JZd4lfnSTo7F

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e36143b7009ac558b03688cfbae5eac4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e36143b7009ac558b03688cfbae5eac4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Users\Admin\keeubin.exe
      "C:\Users\Admin\keeubin.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\keeubin.exe

    Filesize

    252KB

    MD5

    c61d3108ef22b256f86c8b1a0ae016ff

    SHA1

    19cc7736d2500bc30b536673f407e1dcb8cbf404

    SHA256

    9abbdda669fc9fe7a645f865051016b9225a883dcd70e12201a115c1403ff080

    SHA512

    5bef44e0172f03df4bb1ca14ee9cd05c0d81525239bbba56094f0060ddbd811780c787ad9ef1dc5dbec3e5f50a55157476af94dcf32c6bc8de571aaafb4b083f