Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe
-
Size
7.9MB
-
MD5
e58dd8f61151a54bfa678ddf428009e4
-
SHA1
52602ce35b7baf50a55ec1ece9a50733973afc01
-
SHA256
5a219dd672a2893e8d89222da783e1c83780fb6fd2daca5355439505aeb5682f
-
SHA512
6bb579a71196f1f8a2e55e87f0c7c4a1df1c482a2764ac3df6e685218f6bf85215abbb47126bcba1f0f8ce4ee389c4ee63ceb40754c73241bfabf2155bb328c7
-
SSDEEP
196608:0dazg7DS8dazg7DS8dazg7DS8dazg7DSv:Rg7uJg7uJg7uJg7uv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 1716 7D57AD13E21.exe 4632 Scegli_nome_allegato.exe 1912 7D57AD13E21.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 1912 1716 7D57AD13E21.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\IESettingSync Scegli_nome_allegato.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Scegli_nome_allegato.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Scegli_nome_allegato.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Scegli_nome_allegato.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3148 reg.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4632 Scegli_nome_allegato.exe 4632 Scegli_nome_allegato.exe 4632 Scegli_nome_allegato.exe 1912 7D57AD13E21.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3868 wrote to memory of 3148 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 97 PID 3868 wrote to memory of 3148 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 97 PID 3868 wrote to memory of 3148 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 97 PID 3868 wrote to memory of 1716 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 99 PID 3868 wrote to memory of 1716 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 99 PID 3868 wrote to memory of 1716 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 99 PID 3868 wrote to memory of 4632 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 100 PID 3868 wrote to memory of 4632 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 100 PID 3868 wrote to memory of 4632 3868 e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe 100 PID 1716 wrote to memory of 1912 1716 7D57AD13E21.exe 102 PID 1716 wrote to memory of 1912 1716 7D57AD13E21.exe 102 PID 1716 wrote to memory of 1912 1716 7D57AD13E21.exe 102 PID 1716 wrote to memory of 1912 1716 7D57AD13E21.exe 102 PID 1716 wrote to memory of 1912 1716 7D57AD13E21.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58dd8f61151a54bfa678ddf428009e4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:3148
-
-
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
-
C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD567ba15765961f63e9680f1091c4ff4f8
SHA1d23919bf234df46321b223ef23bd83ff4611ae33
SHA256ea6755c8eacd66560925d75a9af65c9bfff5c1204fc18366cff06887eba10fa4
SHA512ef44aaf89fb3ea304d54d026d4821d101d3d8431bffc3a0915aa7cbd28d45ad2580ea806961824bc20c0dcb4382757a59e207a5c9f64b61ce8ccd116d8e0d857
-
Filesize
1.0MB
MD5a2f259ceb892d3b0d1d121997c8927e3
SHA16e0a7239822b8d365d690a314f231286355f6cc6
SHA256ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420
SHA5125ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad