Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 17:09

General

  • Target

    4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    4c2899e3612b47b1857660cc1c143337

  • SHA1

    5574d0e42e8ab7d37457e5367538b835fb39f702

  • SHA256

    16f84f42ff2c8d125ee12064df2e56258ff5c6631657ea82b5152d1abf436a7c

  • SHA512

    7ea8c8a96c3f9cfc5be513de13efdc03d6d8ebd12560cc9664cdbaa4930ab870a6122333fc6a9eb00de91b494f9a60192400058fa187c647e8c821d74e695cbd

  • SSDEEP

    24576:DtUf7HUexbctvDygPwXyseJkQOgmfhaXy/d3iC:hUjHFg4SOvhai/d3iC

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4c2899e3612b47b1857660cc1c143337_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe
      "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe" cHAPG5DIBUSvBpgrUIBM 936
      2⤵
      • Executes dropped EXE
      PID:2036
    • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe
      "C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe" IC9UaWNrZXQ9Y0hBUEc1RElCVVN2QnBnclVJQk0gL0J1bmRsZXM9MTYzfDE0NXwxMzR8MTYyIC9PYmVyb249MSAvQnJvd3Nlcj0zIC9BZExvYz05MzYgL3RwZD1odHRwOi8vZDEuYXJjYWRleXVtLmNvbS9hai9idW5kbGUvOTM2Lz9wPVlUTTVNREU1TlRZeE1EaDQzSGM4MXB0aHVTQnpUaFljJTJCVElNeXJ2dEZWNFV0aEpSdHI5bFpMMXJGVjVGODd0Q0ZKbnRyTzFUTTVYb1M5JTJGJTJGZTlYa2EwMGFrQUh6cXd5R2JlR2IgL29wdGltaXplR0M9MCAvdXNlck5hbWU9QWRtaW4gL3VzZXJTSUQ9Uy0xLTUtMjEtMzU3MTMxNjY1Ni0zNjY1MjU3NzI1LTI0MTU1MzE4MTItMTAwMAo=
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe

    Filesize

    883KB

    MD5

    e07405c65124e2d72f0c9b306018bc90

    SHA1

    f30c1ba999eadcd5bce7473a6b3686e1ea048371

    SHA256

    89ad981c161033a9465b6592c8467d565f53e2f7024ddc530a93c071a87c1951

    SHA512

    fd7b3c53a407ad653052347cad109ebe5f815c13083a6b120647ac869ac971afa0993cffd2b1c4a1f7fb38cdd36e60e24ce6a646566fbb58c82bb662dbed329e

  • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\ArcadeYum.exe.config

    Filesize

    231B

    MD5

    ae437dea18c61477cc2f17f46fb11d01

    SHA1

    94afba8148c6072ad60c6899ed717005681e9da5

    SHA256

    d8966d4c96ba3c910f86c44d6d7b6c298cc70cc3c5c61bb975861eed846b0754

    SHA512

    61ad33f07fbb65863f1eb02a14230c38766fbb5e1fe4263433ecd32375249e7af71e49f054e5f919884f5250dccf95fb6791ceeadf3c2d4cb468ba5af3e8902b

  • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\config.cfg

    Filesize

    74B

    MD5

    7ae5c0861d4469baaeff248a6ef1599f

    SHA1

    0124d99a8c1838c88244cae646347c4b990a5d2d

    SHA256

    fd87de948e97f01f9d47c6400bd57529e53533360af36df9339e541ca14c5a2d

    SHA512

    0e9041d2ff419f393b002bf6dca0c3450ded4566ced694528ef29e46ff39a7cbdb80072b341a6e731fc031797d9b6049825b0dab0c4780c872d8c838ad705656

  • C:\Users\Public\Documents\{8C1A49E6-2F7F-40E3-923F-5DE549CAF021}\starter.exe

    Filesize

    1007KB

    MD5

    e220811a7ef3de31f3ca80aed1dd7b9e

    SHA1

    9dc84732b3d2c548d6b2bf44148431303e7e0bff

    SHA256

    a91308356f129901c9a07f0537a08525f788f8d78b4c406dc9abe826d13eb1b5

    SHA512

    29fe6046a3898566167d4d4a5ea8804af6da547c81013d2c0968a19c1f871fc59b873d5769ce6d85ae3a9f7f61e7b05c72b4d5a368e8f6561b3d2b8a6e21d2fa

  • memory/4024-20-0x0000000005C80000-0x0000000006224000-memory.dmp

    Filesize

    5.6MB

  • memory/4024-19-0x0000000000C90000-0x0000000000D72000-memory.dmp

    Filesize

    904KB

  • memory/4024-18-0x00000000739BE000-0x00000000739BF000-memory.dmp

    Filesize

    4KB

  • memory/4024-21-0x0000000005770000-0x0000000005802000-memory.dmp

    Filesize

    584KB

  • memory/4024-23-0x00000000739B0000-0x0000000074160000-memory.dmp

    Filesize

    7.7MB

  • memory/4024-22-0x0000000005910000-0x000000000591A000-memory.dmp

    Filesize

    40KB

  • memory/4024-24-0x00000000739B0000-0x0000000074160000-memory.dmp

    Filesize

    7.7MB

  • memory/4024-25-0x00000000739B0000-0x0000000074160000-memory.dmp

    Filesize

    7.7MB

  • memory/4024-28-0x00000000739BE000-0x00000000739BF000-memory.dmp

    Filesize

    4KB

  • memory/4024-29-0x00000000739B0000-0x0000000074160000-memory.dmp

    Filesize

    7.7MB