Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
251e358132eb0da4c2678122f4e7bc54
-
SHA1
48f4b322e926de7da257341672acdfcd3e9e9265
-
SHA256
5ac88b55e64f5190d922a40223fb6c19a81eb6140a80d6921c6e3f9f50d3ce48
-
SHA512
c65bd5313c3267497879441cad984e1fed38091e34b4a4a005872c98c1bcd06a5dcb988ffcca74718357176e664c925a8249b7fddca1d645f4f19650807c543b
-
SSDEEP
24576:h1OYdaOaqU2Uzf57ilCfBJyRWSb8iDBXEZc78KU88SehrUzcf:h1OsMqBI57ilCf+Ysv2hrMC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WtEZE3j5JfEwBhO.exe -
Executes dropped EXE 2 IoCs
pid Process 2232 WtEZE3j5JfEwBhO.exe 4460 WtEZE3j5JfEwBhO.exe -
Loads dropped DLL 1 IoCs
pid Process 4460 WtEZE3j5JfEwBhO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell\Edit\command WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WYCWLR.tmp\\WtEZE3j5JfEwBhO.exe\" target \".\\\" bits downExt" WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WYCWLR.tmp\\WtEZE3j5JfEwBhO.exe\" target \".\\\" bits downExt" WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.aHTML WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.aHTML\OpenWithProgids\__aHTML WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\ddeexec WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe" WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell\Edit WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell\Edit\ddeexec WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML\shell\Edit\command\ = "Notepad.exe" WtEZE3j5JfEwBhO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.aHTML\ = "__aHTML" WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\.aHTML\OpenWithProgids WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\SystemFileAssociations\.aHTML\shell WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\__aHTML WtEZE3j5JfEwBhO.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings WtEZE3j5JfEwBhO.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4460 WtEZE3j5JfEwBhO.exe 4460 WtEZE3j5JfEwBhO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4460 WtEZE3j5JfEwBhO.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2232 3112 251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe 81 PID 3112 wrote to memory of 2232 3112 251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe 81 PID 3112 wrote to memory of 2232 3112 251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe 81 PID 2232 wrote to memory of 4460 2232 WtEZE3j5JfEwBhO.exe 83 PID 2232 wrote to memory of 4460 2232 WtEZE3j5JfEwBhO.exe 83 PID 2232 wrote to memory of 4460 2232 WtEZE3j5JfEwBhO.exe 83 PID 4460 wrote to memory of 2140 4460 WtEZE3j5JfEwBhO.exe 84 PID 4460 wrote to memory of 2140 4460 WtEZE3j5JfEwBhO.exe 84 PID 4460 wrote to memory of 2140 4460 WtEZE3j5JfEwBhO.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\7zS4640.tmp\WtEZE3j5JfEwBhO.exe.\WtEZE3j5JfEwBhO.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\WYCWLR.tmp\WtEZE3j5JfEwBhO.exe"C:\Users\Admin\AppData\Local\Temp\WYCWLR.tmp\WtEZE3j5JfEwBhO.exe" target ".\" bits downExt3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s ".\\PueyRmP0VaZtwW.x64.dll"4⤵PID:2140
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
863KB
MD5d1f69422801ce1843c4513901ee2099a
SHA1389708e6f2a4e140e907f1c0d04be40dc238ec80
SHA25665f7a745834012968968d2ca2bc1abb954d9c25f6ff763e550d50c1f33963574
SHA5122e9391411ae9cabfec54099a0b18279f582060d2519d3cdb8e018ad9a4ad57ba66d2e5474f36fbdca81ed76ee7adfc1d12ec377c146f845a0c6db1735cfda164
-
Filesize
5KB
MD51ca45b386c7b01e1bd45ef4e291d3f70
SHA1dcabb955bc45b182231459d7e64cba59592c907e
SHA256495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c
SHA51287dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752
-
Filesize
945KB
MD57c53c4c64bc98a20452fd4d8c878712b
SHA19a4fad92518504f0802cb697ac80d44b2065ca25
SHA256276f71de5199498172ec05b725581a4092c13e2ccc20f9e041ce3ffef6b21b9f
SHA5124f575942a0af07927f6b08458a90b2c72b0514d9e71ab2e2fdea54d3fa6bb2a2534a7518ef01988bb478b63509ac75c55f41c7c27aac1f022b03e24463eed1aa
-
Filesize
15KB
MD5b73b235b7ea2f25df503b85150c51103
SHA14b1d509cde9555e855b8d77dcbbb9070edd6868d
SHA2567d8cc642d3ad182898a1aa1f96e33ca848445a892839e93bdaf2661188ace5b6
SHA512e55b5ab62cdbc404b74fa07f2f41722c6cb1e7c95b3484986a3f505877b6e193ef229bc5fcc7ce3a87a8e4ddf17ec80058546d0ee18b7bbec71d656e47c4c5e3
-
Filesize
218KB
MD59f6c52eec607111136cd222b02bf0530
SHA157f3815d0942e3b0a9bef621a7b4971f55fc74d7
SHA2567314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4
SHA5126760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54