Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/07/2024, 14:00

General

  • Target

    2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    2c9f7208b74155db9f9d05376ba5e8f9

  • SHA1

    bf2129483f05afe0cee4e2d85b6de7292162ee1e

  • SHA256

    23cfe3d50bd573a0040268f12df96c8fab6e3dfe820db43506db4c14d8bdb4a6

  • SHA512

    37dc18729531c668fdbd93f639ac4a5908672839992d9ab5ef080bfe29d2a3fd4810ae9a3a3b7920da78ff559477566b70688f393cebdde1a1f291194db7ca8f

  • SSDEEP

    3072:c9WVqr4KRwc0L/sLAnG7pGTST7TZwDRqN5FGpL0y8SKczV3vn+UJ:+Gc0LULMScTGPZznGH8Mx3/f

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2c9f7208b74155db9f9d05376ba5e8f9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
      "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
      2⤵
      • Executes dropped EXE
      PID:4364
    • C:\Users\Admin\Desktop\SOUNDMAN.EXE
      "C:\Users\Admin\Desktop\SOUNDMAN.EXE"
      2⤵
      • Executes dropped EXE
      PID:4068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\wlod.vbs"
      2⤵
      • Deletes itself
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE

    Filesize

    67KB

    MD5

    5e28284f9b5f9097640d58a73d38ad4c

    SHA1

    7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

    SHA256

    865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

    SHA512

    cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

  • C:\Users\Admin\AppData\Local\wlod.vbs

    Filesize

    241B

    MD5

    689071b599db2bd3c0f9fecda1ce5751

    SHA1

    04d3dc8a0f1d562f97c9bc9be67cd38135a01524

    SHA256

    13d4b5dff4095b83f6a95d81967199207551bf9b35813fee12f38056a41b0c01

    SHA512

    edc9985da2361ab1a2fb787af4dd6c2f26f8a77234cde74bc350ebe01ed8ea9a087b05afe6305c67affd6328f9510a7178c3961a50d6f62398d9329e5b62038b

  • C:\Users\Admin\Desktop\SOUNDMAN.EXE

    Filesize

    76KB

    MD5

    ff86e640e4e0fd18cfb4696b38867222

    SHA1

    7e41bbe59d9efcc8c762cd730d76501fcc85119f

    SHA256

    2fa270825f351d9543cb185dd8253132eb5f09cd8abe3063c6e82daf04006a18

    SHA512

    ec7059fd3abad7318c607e65e0b7184590910c44bd06a01982a031e684f564ffcf020dd2c9d1572527920e8fc8fc18f0aacf6edc2d5baa94f7160da0b12c32b1