Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe
-
Size
160KB
-
MD5
2e03d162d49126b0b0cc6af5bf308c85
-
SHA1
86c3087e7cfc063985bd59de8ce9a77439ceb944
-
SHA256
d613dd30029dce010ae78cc0031e06cf3a135211e451f1c17cec2fb5ae47b4ae
-
SHA512
0bc4f65ad39dd5060eba4f5ee2576c2d0f927c94d2f062b613ff99271aa059268ca45135a6194ec016cdf9693ac18d4d3f3f102c29152ccf92f6aab85533db9b
-
SSDEEP
3072:JJUUW8F6kkVdMnhB6/a2efD3qFZreqTC9QS0w351EEWr4jovWkZ:Ax6i/be+F1Kp1EFGxkZ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Executes dropped EXE 1 IoCs
pid Process 3028 tazebama.dl_ -
Loads dropped DLL 1 IoCs
pid Process 2404 2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Program crash 1 IoCs
pid pid_target Process procid_target 1344 3028 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3028 tazebama.dl_ 3028 tazebama.dl_ -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2404 wrote to memory of 3028 2404 2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe 83 PID 2404 wrote to memory of 3028 2404 2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe 83 PID 2404 wrote to memory of 3028 2404 2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e03d162d49126b0b0cc6af5bf308c85_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 7363⤵
- Program crash
PID:1344
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3028 -ip 30281⤵PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD58960b7b1a3ae1828bf926b8661f59e39
SHA14f984da264ada230e319b938fd411ece1fd5cd4c
SHA256dc22eccf113bd383b1ac2bde5433b59d09f2eb9ac0af1a582221a8c5096bc072
SHA5128e559d5a94ed940a94e8f1c5784a90e5d36d8f613f452aed496888623a6eb9c70331b51d9cf481b396ab841c2dd9dfed2862b8d0111ae23abcb713ca9bf8138d
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
151KB
MD555a2d4b1a79cf0fa5c5f92db34b8667b
SHA1252487489e7afaf3ff1e45e49e4c6738a1a30f03
SHA256aac879ef8c0f2b28292b07c072594d0381449ce13f791765e0449d0e5c485fad
SHA512b600c3e86092914de6986246a6de992e4221894b44ae95a5f3e802c03a99d6bf6cb68e807cdf500bcc38a397c71213faf7a610909a73939d68aba6165064eda7
-
Filesize
151KB
MD55d8dffa2d590a1b139262c1801c9d2f4
SHA102500eefbcd335777d618913ce5ce7f2c96b3e54
SHA25697abc646cef942af04decab18eedbdaf6fbd9d25aec44cb978ebf503250df409
SHA51227f062baf12f87073dee39a7a847a497ea6099fa028c5dc0540bb585d70972f607968855d1af348ce8bbeb8d39ac1812d27693969b59e0e2ffbaed1a1c0634ac