Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04/05/2024, 11:48
Behavioral task
behavioral1
Sample
1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe
-
Size
603KB
-
MD5
1299315c3032491208ef04f8674aa5fa
-
SHA1
f320997f6f3479ef392be9f35e1f5b600f9f42f1
-
SHA256
11724aa717338d3fa58fc1c6d92cdf9b64ca986b0e2f6cde1a5d795d6277fc4c
-
SHA512
41025d5293d43d630c932d1b186c75c793cf9430222a90e02c719c2b5a436715c3298626ef1c1567f92a42e468f8abb5c053e44c38d339b1e75c5b329ed8474a
-
SSDEEP
6144:BHmz3+U3iFSMYN5Exf2o9LnIH8iN/wfGB4Dosj1E+6VVPviDlSOcwhxAwOhgYwj7:9rtZmXN4zJpGPqlSpwhm4s5bsGSCs5
Malware Config
Signatures
-
Kutaki Executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b76-5.dat family_kutaki -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 lunlerio.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum lunlerio.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 lunlerio.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4552 mspaint.exe 4552 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 4552 mspaint.exe 4552 mspaint.exe 4552 mspaint.exe 4552 mspaint.exe 2156 lunlerio.exe 2156 lunlerio.exe 2156 lunlerio.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3140 wrote to memory of 1880 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 84 PID 3140 wrote to memory of 1880 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 84 PID 3140 wrote to memory of 1880 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 84 PID 1880 wrote to memory of 4552 1880 cmd.exe 86 PID 1880 wrote to memory of 4552 1880 cmd.exe 86 PID 1880 wrote to memory of 4552 1880 cmd.exe 86 PID 3140 wrote to memory of 2156 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 105 PID 3140 wrote to memory of 2156 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 105 PID 3140 wrote to memory of 2156 3140 1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1299315c3032491208ef04f8674aa5fa_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lunlerio.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603KB
MD51299315c3032491208ef04f8674aa5fa
SHA1f320997f6f3479ef392be9f35e1f5b600f9f42f1
SHA25611724aa717338d3fa58fc1c6d92cdf9b64ca986b0e2f6cde1a5d795d6277fc4c
SHA51241025d5293d43d630c932d1b186c75c793cf9430222a90e02c719c2b5a436715c3298626ef1c1567f92a42e468f8abb5c053e44c38d339b1e75c5b329ed8474a