Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
43b7477805b260cd105808dba80313df_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
43b7477805b260cd105808dba80313df_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
43b7477805b260cd105808dba80313df_JaffaCakes118.exe
-
Size
636KB
-
MD5
43b7477805b260cd105808dba80313df
-
SHA1
173f21ec410fd32dbf01a0727389b3bc65cd8eaf
-
SHA256
0074f9229b5d31fecd4246bc8dd5aa71c5dc4a3f423ee07050218f96d3f3bc39
-
SHA512
ffd192184352a580c4122cf6134063d03a1f7d0d88be25d7e5760919358bc68868f4ca668260e798ec4801a1da4fea55911046fe094794cfa4dd08c8368977eb
-
SSDEEP
12288:R1Y8jFvNTGvuVxs4qELBg+QzdEEc9fjNvuw1T6BQ2t:Y8jZNTlVTqELi+QyEc9jgw1T6Bzt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 43b7477805b260cd105808dba80313df_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 3512 СÐÜ2009²âÊÔ°æ1.exe 4256 winds.exe 4268 winds.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winds.exe 43b7477805b260cd105808dba80313df_JaffaCakes118.exe File created C:\Windows\SysWOW64\winds.dat winds.exe File created C:\Windows\SysWOW64\winds.exe 43b7477805b260cd105808dba80313df_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 4256 winds.exe 4256 winds.exe 4256 winds.exe 4256 winds.exe 4256 winds.exe 4256 winds.exe 4268 winds.exe 4268 winds.exe 4268 winds.exe 4268 winds.exe 4268 winds.exe 4268 winds.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 winds.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3512 СÐÜ2009²âÊÔ°æ1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3512 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 85 PID 4400 wrote to memory of 3512 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 85 PID 4400 wrote to memory of 3512 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 85 PID 4400 wrote to memory of 4256 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 86 PID 4400 wrote to memory of 4256 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 86 PID 4400 wrote to memory of 4256 4400 43b7477805b260cd105808dba80313df_JaffaCakes118.exe 86 PID 4268 wrote to memory of 1044 4268 winds.exe 88 PID 4268 wrote to memory of 1044 4268 winds.exe 88 PID 4268 wrote to memory of 1044 4268 winds.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\43b7477805b260cd105808dba80313df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\43b7477805b260cd105808dba80313df_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\Temp\СÐÜ2009²âÊÔ°æ1.exe"C:\Windows\Temp\СÐÜ2009²âÊÔ°æ1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3512
-
-
C:\Windows\SysWOW64\winds.exeC:\Windows\System32\winds.exe 12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
-
C:\Windows\SysWOW64\winds.exeC:\Windows\SysWOW64\winds.exe -service1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:1044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD543b7477805b260cd105808dba80313df
SHA1173f21ec410fd32dbf01a0727389b3bc65cd8eaf
SHA2560074f9229b5d31fecd4246bc8dd5aa71c5dc4a3f423ee07050218f96d3f3bc39
SHA512ffd192184352a580c4122cf6134063d03a1f7d0d88be25d7e5760919358bc68868f4ca668260e798ec4801a1da4fea55911046fe094794cfa4dd08c8368977eb
-
Filesize
116KB
MD5491b7a260b3114214492666651c0f925
SHA194185048ef2e904f65e16e7f389468cd79a7b871
SHA25659d5607d041d4efdfb8fa1885af843d6fb1c6e2981d34ba8398ef981734aa863
SHA5120dd43a886a32fe962bcd64144ad3122a71d1568e7af53dfd12f5f0334be1488e77a825e1837858615ebda01670bfcb69920223959d15cac51721b9b9ed1e52e4