Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 19:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe
-
Size
60KB
-
MD5
001d1be0a484c89ddab4f7d5c4e7d5cd
-
SHA1
1e286e1baa627ada72f04b30241c627f348ad9d0
-
SHA256
80897623d5d2f1033bf2358a685c03fb07e22d624b9c54889d77cb6ea859deb8
-
SHA512
7df69a91e3d2294fefc9323d0aa10ac28c60d9786fd973405b829ae8ab4c3f848cd1e2209aa19b0dcb1643b2ce0b3616a04327f0f64a46d2c4edb2a52458f18e
-
SSDEEP
768:MXvx1BAP/aiuMST2D2n/z/D0lbdfs3OfKDHGqHg6WBI:MXbia+u2a/Dxg6WBI
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" diedioh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 diedioh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diedioh = "C:\\Users\\Admin\\diedioh.exe" diedioh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe 1620 diedioh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4028 001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe 1620 diedioh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1620 4028 001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe 91 PID 4028 wrote to memory of 1620 4028 001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe 91 PID 4028 wrote to memory of 1620 4028 001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe 91 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90 PID 1620 wrote to memory of 4028 1620 diedioh.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\001d1be0a484c89ddab4f7d5c4e7d5cd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\diedioh.exe"C:\Users\Admin\diedioh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f42be25eb858fdaf4b13b0d719dc38bc
SHA1f59d5b22c0ca88efa83548c44047ca7f5e392421
SHA256bb609874647ee835fc689a870b02f46c846fb01f94e13beee1e48cb7b4724e35
SHA512be02b5498bb9cd88e9bed73e7b67ec5ca21f3ceb1cdd304237210220c8ba2c3e456c22ba44e6aefe5cb6bcf65f4884c8b27cd105410e728e12c012325cb49b70