Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 18:49

General

  • Target

    3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe

  • Size

    80KB

  • MD5

    3e77fb06c681685797d03d4b56050380

  • SHA1

    7c782532acd7c6c665c2951c1093a2ecdcd3cd42

  • SHA256

    1bfabbd6a698f9cbe4b0dae3f2119d190902766fc10a69a4ee5bd3a5773a1b82

  • SHA512

    eca52fb9ad9c14393d41d25b848075ba2df5299ab332fcfc7a235e0b4d905cd7ea6ea4af359930aece21e51bd027f0dccf507a47fa3ea235d75b1992b6d92cfb

  • SSDEEP

    768:mT9BZytGl2wKCq4j4NAis0AbbNXYXQpA2jLw4VnQP87gC7xlRPbE9xm1pSqRWGu6:mzZyv4bTOi0ZbL/7+qkwm3yo+Z0p

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\dylois.exe
      "C:\Users\Admin\dylois.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1484
      2⤵
      • Program crash
      PID:2068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4680 -ip 4680
    1⤵
      PID:3848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\dylois.exe

      Filesize

      80KB

      MD5

      443cffbaa9e8c1697445a7d146d6a597

      SHA1

      ccd4736a0b0444331fc54bd1d6abee89c232da68

      SHA256

      4da9d825cdfb0996f346d1d5d1818111d20804b04a7e02d3609bb2acf1827f40

      SHA512

      15a8b7705c4429c1d0dac1b2be88410c1ddb61ef0d3cd10b11016d1d09d121ccf596eb1f4a355587475b8b316a79bad2ca541424781d24f8a8dbd152374f0327