Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 18:49
Static task
static1
Behavioral task
behavioral1
Sample
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
-
Size
80KB
-
MD5
3e77fb06c681685797d03d4b56050380
-
SHA1
7c782532acd7c6c665c2951c1093a2ecdcd3cd42
-
SHA256
1bfabbd6a698f9cbe4b0dae3f2119d190902766fc10a69a4ee5bd3a5773a1b82
-
SHA512
eca52fb9ad9c14393d41d25b848075ba2df5299ab332fcfc7a235e0b4d905cd7ea6ea4af359930aece21e51bd027f0dccf507a47fa3ea235d75b1992b6d92cfb
-
SSDEEP
768:mT9BZytGl2wKCq4j4NAis0AbbNXYXQpA2jLw4VnQP87gC7xlRPbE9xm1pSqRWGu6:mzZyv4bTOi0ZbL/7+qkwm3yo+Z0p
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dylois.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3928 dylois.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dylois = "C:\\Users\\Admin\\dylois.exe" dylois.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2068 4680 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe 3928 dylois.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4680 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 3928 dylois.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4680 wrote to memory of 3928 4680 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 88 PID 4680 wrote to memory of 3928 4680 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 88 PID 4680 wrote to memory of 3928 4680 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\dylois.exe"C:\Users\Admin\dylois.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 14842⤵
- Program crash
PID:2068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4680 -ip 46801⤵PID:3848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5443cffbaa9e8c1697445a7d146d6a597
SHA1ccd4736a0b0444331fc54bd1d6abee89c232da68
SHA2564da9d825cdfb0996f346d1d5d1818111d20804b04a7e02d3609bb2acf1827f40
SHA51215a8b7705c4429c1d0dac1b2be88410c1ddb61ef0d3cd10b11016d1d09d121ccf596eb1f4a355587475b8b316a79bad2ca541424781d24f8a8dbd152374f0327