Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 02:24

General

  • Target

    3ba796b6291f1af40fa7f7910cfe20e0_JaffaCakes118.exe

  • Size

    232KB

  • MD5

    3ba796b6291f1af40fa7f7910cfe20e0

  • SHA1

    83138d469539d6f00f0a557f305e667a5a7d7cda

  • SHA256

    47b91428ab9a5ca4b6449b4fa2f67a750a2de1d924b2b0e85e30223f795bce32

  • SHA512

    18008259fc5868d0683c0ef9aff73f79df75544250ff1afe0ec4e0668fc5a1a8116bf727ba73fc73f4efe168991b256eb14c856ce3147e89857fbdf9de3e7ab1

  • SSDEEP

    6144:L3PFKs7dizxRJFBfWEqxF6snji81RUinK5qjbkxYubS3:7PhYTBXibkx9b6

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ba796b6291f1af40fa7f7910cfe20e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3ba796b6291f1af40fa7f7910cfe20e0_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\doeiyu.exe
      "C:\Users\Admin\doeiyu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\doeiyu.exe

    Filesize

    232KB

    MD5

    3d4977f29bfa21eade2fd4e12889e4fa

    SHA1

    c4943511f1229de9f25939d9a5831941ec3312b3

    SHA256

    865bda55be9e69db83834c4d2ee25f616022d4c274dc39d640534d50f3c38d41

    SHA512

    e5bdd4542a691fbc800ee29c55290bc999ad244e3ef7579e176111990cd361bd2cd11daf4aee6185c817299fdaf13b51e9a1b077045e345879ca4bc04af1c51d