Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 09:49

General

  • Target

    25812034f923f3ed5ae507e24c957193_JaffaCakes118.exe

  • Size

    152KB

  • MD5

    25812034f923f3ed5ae507e24c957193

  • SHA1

    1ba320d9eb8384d4aa86945f32961c6bcbeb6336

  • SHA256

    99a4347e3077d4694403ff6e0e1df0e6edb0a565d539dc3d047e63ff0eaadae4

  • SHA512

    ca3b6683f45c5ad5da0b879427c547826ebb0e5b043b09ae7af6ac3606fe22f756d7a9b6364d4cadbefea3cc65ead4c2bb1f596d684fac574dded8af708f3c24

  • SSDEEP

    3072:yMGjPYYh0Zs+7DxNUbaxIcz93bOButK+Hog:m+7DxVh3bHYg

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25812034f923f3ed5ae507e24c957193_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\25812034f923f3ed5ae507e24c957193_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\buiciow.exe
      "C:\Users\Admin\buiciow.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\buiciow.exe

    Filesize

    152KB

    MD5

    0763344b1c5e1ca261effcbb0eceb11c

    SHA1

    31db412cab13bdd107a895064d35709fcb3e5625

    SHA256

    e7f219ec34e3d4181e2d03ff194847ec34ba743bbc75ae22556578fd0b0b010b

    SHA512

    8d3ede8fdfd966cb8325c72b52ea3368e9503c0b5eeb93f24bbf7aa0d4bb019f7d7f06c7a8328145f4b163bd195b5951747b1558d05a69a65bffe93d4b57cb5c