Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 01:30

General

  • Target

    3b80d58650078c92bcb5c7e524350ea7_JaffaCakes118.exe

  • Size

    124KB

  • MD5

    3b80d58650078c92bcb5c7e524350ea7

  • SHA1

    b20e6a795d41d9454c714b76b446cb45bf58ddae

  • SHA256

    4d8b1635216fdda1b97aacd31f8274e794914a526b5b1d448ba996636407ac12

  • SHA512

    63eb0978960b44eb13f349e724acfc3e1197c7780fb1c8e433e71aebbefe096b82c2ff57119aa75e285b7e57269f6ba16b36fa18bf3907ec9ac238ad6aeb6942

  • SSDEEP

    1536:KJtkj7TQZU0GgAJa0P1kNmKldCMhdu8KWP/nTn8nBP9VeRPNeG0h/y:AkjAZU0GgAT9QIq

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 51 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b80d58650078c92bcb5c7e524350ea7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b80d58650078c92bcb5c7e524350ea7_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\daoqu.exe
      "C:\Users\Admin\daoqu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\daoqu.exe

    Filesize

    124KB

    MD5

    25e5bb7a755c61b7a1dd91eb03806778

    SHA1

    2e1868a9b08613ae8c8f084ff0159a1c60b94432

    SHA256

    1a947afeb41bc2daf223424c216286154cb5e71403f6c709cc9f7a96a7e7c691

    SHA512

    eb401b666b37e3d2f763da9c7f78a9a5365b1d46ccaa8bf4019a024109138b916b178b5f6253b45cbcfc3c323c6ae9d4eb6433d00f9504eca0ac72c2dd0e273a